Data Protection Officer (DPO)

Outsourcing of data protection officer

A Data Protection Officer (DPO) is a person who must be appointed by an organization in the case of:

  • that the organization is a public authority or public body (excluding courts)
  • that the principal activities of the organization consist of processing operations which, by reason of their nature, scope or purpose, require regular and systematic monitoring of individuals to a large extent, or
  • that the core activities of the organization consist of extensive processing of specific categories of data

Who can be a data protection officer?

With regard to the tasks prescribed by the General Data Protection Regulation (GDPR) – Article 39, the Data Protection Officer should be an expert who:

He is well acquainted with the GDPR, laws and regulations governing the protection of personal data.
Personal data must be processed in the manner required by the General Data Protection Regulation (GDPR) and other laws and regulations governing the protection of personal data.

He knows enough about information security
Appropriate data protection needs to be established and implemented. The Data Protection Officer should be sufficiently familiar with information security and technology to be able to monitor existing security solutions and advise on the introduction of new ones.

Knows what to do in case of personal breach
In the event of destruction, loss, unauthorized access or alteration of personal data, the Data Protection Officer must be aware of all the steps he or she must take. He must be informed when and why a certain incident occurred (IT forensics), and when and whom he must inform.

Can provide advice on data protection impact assessment
Personal Data Protection Impact Assessment (DPIA) is the process of systematically analyzing, identifying, and reducing risk in organizational projects and plans. It helps assess how and to what extent an organization complies with data protection obligations.

Knows how to educate staff
The Data Protection Officer is in charge of informing and training the staff involved in the processing of personal data.

Who is in a conflict of interest?

The Data Protection Officer may be an employee of the organization and may perform other tasks and duties provided that such tasks and duties do not give rise to a conflict of interest. In other words, this function must be independent of any function that decides and manages the processing of personal data and therefore a large number of organizations have a problem appointing an official due to the lack of a person who is not in a conflict of interest.

“It is an unwritten rule that jobs that may be in a conflict of interest within an organization may be senior management positions (such as CEO, business director, finance director, chief medical officer, head of marketing, head of human resources or head of department for information technology), but also lower roles in the hierarchical structure of the organization if such positions or roles imply determining the purpose and manner of personal data processing “

Why outsource the Data Protection Officer (DPO) function?

Organizations choose to outsource employees most often because of:

  • Lack of professional staff – lack of sufficient professional staff in the organization or in the labor market. Given that the function of data protection officer is extremely sought after, a large number of experts are already employed in other organizations or no longer in Croatia.
  • Conflict of interest – In most organizations, employees who would be skilled enough to perform the function of data protection officer are already engaged in other tasks that would lead them to a conflict of interest.

Organizations through outsourcing can solve the problem by hiring an external expert. By outsourcing the function, you have secured expertise and avoided a possible conflict of interest.

Our experts have international experience in terms of the tasks of data protection officers, as well as the adaptation of organizations to the GDPR as well as the management of information security systems in organizations of various types and sizes. We also have extensive experience in education. Contact us with confidence!

Službenik za zaštitu podataka (DPO)


14 + 1 =


Copyright © 2020. ≈ Xiphos d.o.o.