The Data Protection Officer (“DPO”) is often appointed from among existing staff. The DPO may perform other tasks and duties, but the entity appointing the DPO must ensure that this does not create a conflict of interest.
What must the DPO be provided with by the entity that has appointed him/her:
The entity that has appointed a DPO:
Ensures that the DPO is properly and in a timely manner involved in all matters relating to the protection of personal data.
The Working Party Guidelines on Data Protection Officers [Article 29 of Directive 95/46/EC] emphasise that the DPO should be involved in personal data protection matters at the earliest stage. Among other things, this will help to ensure compliance with the GDPR principle of data protection by design.
The Guidelines indicate that the position of the DPO should always be taken into account. It is also good practice to document instances and reasons for acting contrary to the DPO's recommendation.
Supports the DPO in fulfilling his or her duties under GDPR Article 39 by providing him or her with the resources necessary to fulfil them, with access to personal data and processing operations and with the resources necessary to maintain his or her expertise.
The guidelines indicate that resources include staff support, continuous training, management support, and time to enable the DPO to fulfil his or her tasks. The decision on resources should depend on the individual circumstances of the institution or company concerned, such as its size and the nature of the data being processed.
Ensures that the DPO does not receive instructions regarding the performance of his or her duties.
In practice, this means, among other things, that the DPO should not receive any instructions/orders as to how to handle a case, or what action or position that should be taken in a case.
On the surface, these provisions may seem to pose no major problems and to be fairly easy to implement. However, the entity that has appointed the DPO should bear in mind that, in practice, the authority may require documentation of the above actions. In its catalogue of sample questions related to the DPO, PUODO has listed the following questions:
What specific resources are made available to the DPO?
How does the entity ensure that the DPO is properly and promptly involved in all data matters?
How does the entity ensure that the DPO does not receive instructions on his or her tasks?
This means that it is not enough to appoint a DPO and stay out of his or her way. The entity that has appointed a DPO should put in place appropriate procedures to allow that person to carry out his or her duties in accordance with the GDPR. Otherwise, the entity exposes itself to liability under the GDPR.
To whom does the DPO report:
The DPO reports directly to the top management of the entity that has appointed him/her and may not report to anyone else. The DPO may not be penalised or dismissed (directly or indirectly) by the entity that has appointed him/her for the performance of his or her duties. This provision reinforces the independent position of the DPO. However, the DPO may of course be dismissed for reasons other than the performance of his or her duties (e.g. sexual harassment). Nor does this provision protect a DPO who fails to perform his or her duties properly.
Again, it is important to note that the supervisory authority may ask how specifically the entity ensures that the DPO cannot be penalised and dismissed for carrying out his or her duties.
Conflict of interest:
The DPO may have other duties and responsibilities, but the entity appointing the DPO must ensure that this does not create a conflict of interest. In practice, entities that appoint DPOs often forget this and select them from among existing staff without considering whether this creates a conflict of interest. In doing so, they expose themselves to potential liability under the GDPR.
When can a conflict of interest arise? According to the Guidelines, a DPO “may not hold a position in an institution or company that involves determining the means and purposes of data processing”. As rightly pointed out, this issue should be analysed on a case-by-case basis for each institution or company, and the Guidelines help with this task by providing examples of positions where, in principle, a conflict of interest may arise.
According to the Guidelines, a conflict of interest arises, inter alia, when:
The DPO holds a senior position (Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Chief Medical Officer, Head of Marketing, Head of HR, Head of IT);
The DPO holds a junior position but is involved in determining the purposes and means of data processing;
An external DPO has been asked by the entity that had appointed him or her to represent it before a court in a personal data protection case.
In an example shown on its website, PUODO points out that even if the head of an organisational unit (e.g. the human resources manager) is not personally involved in the design of the data collected from job applicants and this task belongs to another employee of the unit, this is irrelevant for the conflict of interest - because the head is responsible for the overall functioning of the unit.
The mere absence of a conflict of interest is not sufficient to ensure that the entity that has appointed the DPO does not expose itself to sanctions under the GDPR. In order to demonstrate compliance with GDPR Article 38(6) to the authority, the entity should implement a conflict-of-interest management policy or put in place another mechanism to ensure that there is no conflict of interest. The possibility of conflicts of interest arising should be monitored on an ongoing basis.
In the National Report of the Polish Supervisory Authority on the Study on the Appointment and Position of the DPO, available on the PUODO website, PUODO identified an example of a conflict-of-interest situation involving a provider of outsourcing of DPO functions:
PUODO identified in several entities the problem of companies employing DPOs to provide outsourced DPO functions and, at the same time, perform for the controller the so-called GDPR implementation and other services related to risk analysis and assessment, handling of requests and claims from data subjects, and information security in the broad sense. Thus, the same person was deciding on the principles of personal data processing, the way in which the controller's duties were to be performed, identifying and assessing the risks of processing and securing personal data, and then - in the course of performing the function of DPO - assessing the correctness of the solutions or decisions that he or she had taken himself or herself. This led to a situation where the DPO was supervising his or her own activities and, therefore, to a conflict of interest, which is expressly prohibited by GDPR Article 38(6).
In order to ensure compliance with GDPR Article 38, it is therefore crucial that adequate procedures are implemented and documented by the entity appointing the DPO.
Selected decisions by European supervisory authorities:
Commentary to art. 38
Position of the Data Protection Officer
The Data Protection Officer (“DPO”) is often appointed from among existing staff. The DPO may perform other tasks and duties, but the entity appointing the DPO must ensure that this does not create a conflict of interest.
What must the DPO be provided with by the entity that has appointed him/her:
The entity that has appointed a DPO:
The Working Party Guidelines on Data Protection Officers [Article 29 of Directive 95/46/EC] emphasise that the DPO should be involved in personal data protection matters at the earliest stage. Among other things, this will help to ensure compliance with the GDPR principle of data protection by design.
The Guidelines indicate that the position of the DPO should always be taken into account. It is also good practice to document instances and reasons for acting contrary to the DPO's recommendation.
The guidelines indicate that resources include staff support, continuous training, management support, and time to enable the DPO to fulfil his or her tasks. The decision on resources should depend on the individual circumstances of the institution or company concerned, such as its size and the nature of the data being processed.
In practice, this means, among other things, that the DPO should not receive any instructions/orders as to how to handle a case, or what action or position that should be taken in a case.
On the surface, these provisions may seem to pose no major problems and to be fairly easy to implement. However, the entity that has appointed the DPO should bear in mind that, in practice, the authority may require documentation of the above actions. In its catalogue of sample questions related to the DPO, PUODO has listed the following questions:
This means that it is not enough to appoint a DPO and stay out of his or her way. The entity that has appointed a DPO should put in place appropriate procedures to allow that person to carry out his or her duties in accordance with the GDPR. Otherwise, the entity exposes itself to liability under the GDPR.
To whom does the DPO report:
The DPO reports directly to the top management of the entity that has appointed him/her and may not report to anyone else. The DPO may not be penalised or dismissed (directly or indirectly) by the entity that has appointed him/her for the performance of his or her duties. This provision reinforces the independent position of the DPO. However, the DPO may of course be dismissed for reasons other than the performance of his or her duties (e.g. sexual harassment). Nor does this provision protect a DPO who fails to perform his or her duties properly.
Again, it is important to note that the supervisory authority may ask how specifically the entity ensures that the DPO cannot be penalised and dismissed for carrying out his or her duties.
Conflict of interest:
The DPO may have other duties and responsibilities, but the entity appointing the DPO must ensure that this does not create a conflict of interest. In practice, entities that appoint DPOs often forget this and select them from among existing staff without considering whether this creates a conflict of interest. In doing so, they expose themselves to potential liability under the GDPR.
When can a conflict of interest arise? According to the Guidelines, a DPO “may not hold a position in an institution or company that involves determining the means and purposes of data processing”. As rightly pointed out, this issue should be analysed on a case-by-case basis for each institution or company, and the Guidelines help with this task by providing examples of positions where, in principle, a conflict of interest may arise.
According to the Guidelines, a conflict of interest arises, inter alia, when:
In an example shown on its website, PUODO points out that even if the head of an organisational unit (e.g. the human resources manager) is not personally involved in the design of the data collected from job applicants and this task belongs to another employee of the unit, this is irrelevant for the conflict of interest - because the head is responsible for the overall functioning of the unit.
The mere absence of a conflict of interest is not sufficient to ensure that the entity that has appointed the DPO does not expose itself to sanctions under the GDPR. In order to demonstrate compliance with GDPR Article 38(6) to the authority, the entity should implement a conflict-of-interest management policy or put in place another mechanism to ensure that there is no conflict of interest. The possibility of conflicts of interest arising should be monitored on an ongoing basis.
In the National Report of the Polish Supervisory Authority on the Study on the Appointment and Position of the DPO, available on the PUODO website, PUODO identified an example of a conflict-of-interest situation involving a provider of outsourcing of DPO functions:
In order to ensure compliance with GDPR Article 38, it is therefore crucial that adequate procedures are implemented and documented by the entity appointing the DPO.
Selected decisions by European supervisory authorities:
German supervisory authority fine (EUR 525,000) - the DPO supervised his own decisions taken in another capacity.