Data Protection Officer (or DPO) is a position or contractor that helps the company introduce and maintain compliance with the data protection laws across the European Union and European Economic Area. A Data Protection Officer cannot be confused with a Chief Protection Officer, Chief Privacy Officer or Chief Information Security Officer (and cannot be replaced by the chief officer the company might have in place before May 2018). 

The position of the DPO was at first introduced in the Data Protection Directive of 1994, the predecessor of the GDPR. In May, 2018, the position was reintroduced as a mandatory in some cases, now without any corresponding requirement in the national law. If the company meets the thresholds set out in Article 37(1) of the GDPR (see below), it automatically needs a DPO to be appointed. 

You can learn more about the DPO’s after visiting our Blog.

At the core of the DPO’s service are the following pillars:

Training &

ongoing support

The DPO helps spread the knowledge and awareness of the GDPR throughout the organisation. 


The DPO is also the first contact in case of complicated decisions affecting privacy. The DPO is an invaluable source of assistance during the risk assessments.

Data subject


The DPO represents the company and its privacy considerations during the privacy-related conversations.

The DPO must not only know the law and company’s capabilities, but assess the risks of bad publicity and foresee the data subject’s next questions.


Accountability &


The DPO takes care of keeping the data protection documentation relevant and updated.

Moreover, the DPO’s advice often determines whether new practices or privacy impact assessment results must be documented and implemented in the daily routines.


Our privacy experts:

Kateryna Dubas
Head of GDPR Department

Anton Tarasiuk
Managing partner

Lyaskivskij Ivan
 IT lawyer

Igor Kotkov 
 IT lawyer


It doesn’t matter what role your organisation plays in a chain of data processing. Both controllers and processors have, given they meet the threshold, hire or contract a DPO. 

Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:

  • where the processing is carried out by a public authority or body;
  • where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
  • where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.



    If you are not sure what some of these definitions mean with respect to your processing practices, you may ask our privacy team. Schedule a call to learn more of our DPO service and whether we can be a perfect match for your organisation. 

    This list can be complemented with the requirements of the EU member state law you have to comply with. So, you should check your national law to know whether you have to designate a DPO (especially if you are working with health data, banks, national IDs, religious or legal information, or otherwise have access to the data protected by confidentiality or secrecy). 

    Also, be aware of the differences in addressing the thresholds. For instance, one state can calculate “large scale processing” in comparison of the user percentage in the population of a specific area. On the other hand, another state may link the “large scale processing” with a particular number of unique users in a company’s database. 

    However, if you have your doubts, it may be feasible to hire one just in case.

The GDPR doesn’t set the strict rule to employ the DPO. On the contrary, it clearly mentions the “external” DPOs, describing the contents of the service contract if you decide to outsource this task to a skilled independent professional (or even a privacy team). 

Article 37(5) provides that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’. Recital 97 provides that the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. 

Other skills include: 

  • Level of expertise (in relevant fields).
    We worked with gamedev, cloud solutions, e-commerce, online education, AdTech and digitalised offline businesses. Please look at our Clutch page to learn more. 
  • Professional qualities.
    We work closely with the privacy laws of the U.S., the European Union and Ukraine. We are certified and trained lawyers, and we possess a relevant expertise in dealing with the DSARs, assisting with the supplier assessment checks and drafting data processing agreements.
  • Ability to fulfil its tasks.
    We have a variety of services to offer. From relevant consulting and drafting necessary documents to navigating complicated court proceedings and out-of-court confidentiality violation disputes. 

The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). Data protection compliance is a corporate responsibility of the data controller, not of the DPO. 

However, the data controller benefits from the DPO’s expertise and insights as a counsel. The DPO therefore is accountable to the company’s top management, including the highest management circles. CEO, CFO, CISO, CLO and other chief officers shall keep in mind the advice of the DPO and make sure that the DPO possesses all necessary resources to provide them with the most relevant information and assessment results. 

DPO is closely linked to the public image of the company, as the DPO is often a first contact of a dissatisfied user or worried tech journalist. Choose your DPO wisely. 


Get in contact with one of our resident privacy experts and schedule a call to see whether we’re on the same page with your tech. 

You may request an NDA to be signed prior to the call. Otherwise, you can stop by our Kyiv office and enjoy the scenery of the city centre during a cup of fresh coffee. Make sure you’ve made the appointment so we will be ready to answer your questions. 

Read more about GDPR

GDPR audit. Create a roadmap to GDPR compliance
Peculiarities of the GDPR Compliance in Cyprus
GDPR and Personalized Nutrition Apps

Vebinars about GDPR

Have more questions? Get in touch with us