DPO Sign-off

Role of the DPO in a DPIA

Under GDPR Articles 35 and 39, organizations with a Data Protection Officer (DPO) must consult them when conducting a Data Protection Impact Assessment (DPIA). However, controllers are not required to follow the DPO’s advice.
WP29 DPIA guidance clarifies that:

The DPO’s advice and the controller’s final decision must be documented in the DPIA.

The DPO assists with:

Determining if a DPIA is needed.

Choosing the DPIA methodology.

Reviewing whether the DPIA was properly conducted.

National SA Guidance on DPO Involvement

Maltese SA

DPIA template includes a dedicated space for the DPO’s comments and signature.

Swedish SA

The DPO must be consulted but ultimate responsibility remains with the controller.

German SA

The DPO should advise the DPIA team, conduct a final review, and report findings to management.

Key Takeaways

  • POs play a supporting and monitoring role, not a decision-making one.
  • Controllers must document DPO input, even if their advice is not followed.
  • National regulators reinforce the DPO’s advisory function but clarify that accountability remains with the controller.

By properly involving the DPO, organizations ensure a transparent, well-documented, and GDPR-compliant DPIA process.