Data protection officer (DPO) monitors an organization's compliance with data protection requirements. DPO is a statutory position regulated in the EU's General Data Protection Regulation (GDPR). The position is thus set in law similarly to such positions as the CEO, which is regulated by the applicable Limited Liability Companies Act.
In practice, the DPO monitors organisation’s compliance with data protection rules, points out possible deficiencies as well as informs and advices the management and the employees on data protection matters.
Pursuant to the GDPR, a person acting as a DPO must have sufficient data protection expertise to perform the task and be free of any conflicts of interest in relation to their duties.
As one might guess from the title, this article is about conflicts of interest pertaining to the duties of a DPO.
The DPO must be free of any conflicts of interest
A DPO should be able to perform its duties and tasks free of any conflicts of interest. This said, a DPO may fulfil other tasks and duties, but they must not result in conflicts of interest. As a consequence, the DPO cannot hold a position within the organization that allows them to influence the processing of personal data. Due to uniqueness of the organizational structure of each company, the conflicting positions have to be assessed case by case.
According to the guidelines and the case-law the conflicting positions include most notably senior management positions, such as:
- Chief executive officer
- Chief operating officer
- Chief financial officer
- Sales Director
- HR manager
- Chief information security officer (NB. exceptions have been made in case law, see the chapter on case law)
Conflicting positions may also include other roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing.
In other words, the DPO should not be in a position to be both the judge and the jury, as the dual position would result in a situation, where DPO sits at both tables: they would both define the data protection practises and assess their compliance with the law.
Case law on conflicts of interests of a DPO
The conflicts of interests of the DPO have been a fairly popular basis for imposing administrative fines at the EU level.
In 2020—2021, the Belgian Data Protection Authority imposed administrative fines of 50 000 and 75 000 euros on companies whose DPOs were not free of conflicts of interest in their duties:
- In the first case, DPO was also acting as the director responsible for audit, risk and compliance within the company. DPO was found to have a conflict of interest, since they could influence the processing of personal data in their position.
- In the second case, in addition to his duties as DPO, the person was also the head of three departments with decision-making powers over processing of personal data, and the management positions were not purely advisory or supervisory in nature. This resulted in a conflict of interest.
In 2022, the Berlin data protection authority went even further and imposed an administrative fine of 525 000 euros in a similar case. In the case, the person who was designated as DPO was also a managing director of two service companies in the same group of companies. The DPO had thus been in a position where they were acting as a DPO responsible for the data processing activities of companies they had been acting as a managing director for, which caused a conflict of interest.
In 2021, however, the Belgian data protection authority also specifically stated that certain management positions within the company's organization may in themselves be permitted, as long as the position is advisory in nature and cannot influence the purposes and means of personal data processing. In the case, it was stated that the position of chief information security officer (CISO) could be combined with the duties of a DPO, if:
- The CISO performs risk analyses – as head of the department – and presents suggested mitigations measures to the management;
- Management decides whether or not to adopt the suggested measures;
- Security measures are not within the scope of the function of the CISO.
It is however another issue, how many CISOs function only in advisory capacity without decision-making power over the purposes and means of personal data processing in practise.
In light of the guidelines and case law, the head of an organization or a department cannot, in principle, act as a DPO, because in practice the management determines the purposes and means of personal data processing. Thus, the organization should be careful when combining the position of DPO with other positions.
In an ideal situation, the DPO would be in a direct employment relationship with the company, since then it is much easier for the DPO to be informed about the company's operations and the level of data protection. However, hiring a DPO without combining the position with other tasks and duties can prove financially burdensome for some organizations.
Outsourcing the DPO to an external service provider can offer certain organizations the needed help to fulfil their data protection obligations or to enhance their data protection without the threat of conflicts of interest within the organization.
Our Associate Trainee Savva Kuparinen took part in writing this article.