Francesca Giannoni-Crystal and Cristina Vicarelli
In Section 3.5 of Article 29 Working Party (WP29)’s Guidelines on Data Protection Officer (“DPOs”) (“Opinion”), the WP29 discusses the issue of conflict of interest for DPO. See here for more information on this opinion.
The WP29 points out that while Article 38(6) GDPR allows a DPO to perform “other tasks and duties”, the organization must avoid appointment in which those “other tasks and duties” generate a conflict of interests,
The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case. Opinion at 15.
But when specifically does a conflict of interest ensue? The WP29 offers some examples of incompatibilities of roles in footnote 34:
As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. Footnote 34 of Opinion.
From this footnote it would seem that the WP29 follows a position that has already emerged in Germany regarding the DPO, i.e, that there is an impermissible conflict of interest if the DOPO is called to supervise his or her own activity. See for example, the recent sanction issued by the Bavarian DPA to a company who had appointed its IT manager as DOP.
Moreover, the Opinion makes it quite clear that WP29 sees the position of the DPO as having more of a legal character than a technical one. Before the WP29 issued its opinion, there was a divergence of opinions about whether the DPO should have more a technical preparation (which would allow him or her to be better skilled on cybersecurity) or a more legal background. The Opinion emphasizes that the DOPO must have most of all a legal preparation, intending by this knowledge of both EU data protection and the specific domestic data protection law. The opinion highlights the need for the DPO to have most of all legal education and legal experience; he or she can use the assistance by technicians, if needed.
For more information, Francesca Giannoni-Crystal and Cristina Vicarelli.