What is a DPO — and why is theirs the email address you want?
A Data Protection Officer is the mandatory in-house privacy referee at authorities and data-heavy companies — independent by law, and the fastest route for your requests.
A Data Protection Officer (Art. 37–39) is mandatory for public authorities and for organisations whose core activities involve large-scale monitoring or large-scale special-category data — so every ministry, hospital chain, insurer, telecom and ad-tech firm has one. Why they matter to you: the DPO is legally independent (cannot be instructed or fired for doing the job), must be reachable by data subjects, and their contact details must be published and registered with the DPA. A request sent to the DPO lands with the one person whose job is compliance, skipping the customer-service deflection layer — which is why our letters address them. Finding them: privacy policy (a mandatory disclosure), or ask the DPA which DPO is registered. What they are not: your advocate — the DPO serves compliance, not your claim. For adversarial escalation you still go to the authority. Smaller companies without a DPO must still name a privacy contact; “we have no DPO” never excuses ignoring your rights. If a company that plainly should have a DPO has none, that itself is a reportable violation.
Verified against the sources above on 18 July 2026. Information, not legal advice.