Data Protection Officer (DPO) GDPR

Do it yourself or DPO?

Data Protection Officer

(Industry) organizations have the option of appointing an internal supervisor for the processing of personal data. Such a person is called a data protection officer (DPO). Within the organization, the DPO supervises the application and compliance with the Personal Data Protection Act (Wbp).

Later: mandatory DPO

Please note: from May 25, 2018, new European privacy legislation, the General Data Protection Regulation (GDPR), applies. Organizations may then be obliged to appoint a DPO. Of course, organizations may still voluntarily appoint a DPO. For more information, see the AVG file Data protection officer ( FG) .


The activities of a DPO can include:

  • supervise;
  • create inventories of data processing operations;
  • keep records of data processing;
  • Handling questions and complaints from people inside and outside the organization;

  • develop internal arrangements;
  • advising on technology and security ( privacy by design );
  • provide input when drafting or modifying a code of conduct.

Report data processing

Do you have to report risky processing to the Dutch Data Protection Authority ? If you have a DPO, you can report this to the DPO.

Requirements for DPO

The law imposes a number of requirements on DPOs:

  • A DPO must be a natural person. A works council or committee is therefore not eligible.
  • A DPO must have sufficient knowledge of the organization and privacy legislation.
  • A DPO must be reliable. This is reflected, among other things, in a duty of confidentiality.

Powers of the DPO

A DPO has no formal sanctioning powers. However, the organization is legally obliged to give the DPO supervisory powers. For example, a DPO must be authorized to enter areas, to investigate matters and to request information and access. The DPO must be able to independently perform his activities within an organization. A DPO has the same protection against dismissal as members of a works council. This means that he can only be fired after permission from the Subdistrict Court.

Supervision by the Dutch Data Protection Authority

If an organization has a DPO, the Dutch Data Protection Authority retains all powers as national supervisor. But the Dutch Data Protection Authority is reticent towards organizations with a DPO.

Professional association of DPOs

FGs can become members of the Netherlands Association of Data Protection Officers .

Appoint DPO

An (industry) organization can appoint one or more DPOs. The organization must then register each DPO with the Dutch Data Protection Authority. Only then can the DPO start as such. Please note: a controller (the person who determines the purpose and means for the data processing) cannot also be a DPO in his own organization.

Register DPO with the Dutch Data Protection Authority

You can register a DPO with the Dutch Data Protection Authority via the registration form . Then send this to: Autoriteit Persoonsgegevens for the File Management Department PO Box 93374 2509 AJ The Hague.

Public register of DPOs

The Dutch Data Protection Authority publishes registrations of DPOs in a register.

  • Is someone no longer a DPO? Then the organization must pass this on to the Dutch Data Protection Authority.
  • Will there not be a new DPO? In that case, the organization must notify all data processing to the Dutch Data Protection Authority .