Articles 37–39 of the GDPR set out its DPO-related requirements:
- When one must be appointed (Article 37);
- The nature of their position in the organisation (Article 38); and
- The tasks they must carry out (Article 39).
Infringements of articles 37–39 leave organisations open to the GDPR’s lower level of administrative fines: up to the greater of 2% of annual global turnover or €10 million (about £8.5 million), so it’s essential to meet your DPO obligations correctly and in full.