The DPO must be free of a conflict of interest. The tasks and duties of the DPO must not result in a conflict of interest, meaning that the DPO cannot hold a position or perform tasks within the organisation that leads her or him to influence the use of personal data. This impacts how the DPO is appointed and how data governance is organized. Reading time: 4 min.
The independence of the DPO
The role of the DPO is regulated by Articles 37-39 of the GDPR. In general, the DPO shall advise and inform their organisation of applicable legislation and standards, advise on risk assessments and DPIAs and act as a liaison to the supervisory authority and data subjects. The purpose of the role is to provide the organisation with the capabilities to use personal data in accordance with laws and regulations and the expectations of individuals.
In order to provide this leadership independence and freedom of conflict of interests are fundamental elements in how the role shall sit within the organisation. Article 38 of the GDPR sets out the requirements of the DPO and how the DPO must sit within the organisation. Article 38(6) GDPR states that:
This means that the specific role of the DPO must be defined in a service contract (external DPO) or a job description (internal DPO) and communicated internally within the organisation. Further, the DPO must have the appropriate level of resources relevant and adequate for the demands of the organisation. This most often includes a budget and mandate to employ external legal advice if needed. In the governance framework of the organisation, the DPO must be recognised as independent by the highest management and be supported to carry out the full tasks of the DPO, namely from compliance checks to post-breach or enforcement investigations without receiving any instructions that would hinder or influence the process or outcome of such tasks.
In need of GDPR-support from a law firm?
Get support to prepare you and your business for an audit from the DPA.
Read more about the business law firm Sharp Cookie Advisors
Company roles that constitute a conflict of interest
The EU expert group interpreting the GDPR and data privacy legislation have issued guidelines on the role of the DPO (the “Guidelines”). Although it is considered ok that the person appointed as DPO have other tasks and duties besides the DPO role, those functions should not give rise to conflicts of interests.
“This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the
purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.” Guidelines, page 15.
The guidelines goes on to set the out the positions that typically are conflicting positions with the DPO role as:
- senior management positions,
- chief executive,
- chief operating,
- chief financial,
- chief medical officer,
- head of the marketing department,
- head of Human Resources;
- or head of the IT department, and
- other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
A senior management position implies decision-making on the purposes and means of the processing of personal data. This is a competence that is restricted to the data controller and its representative bodes (e.g. compliance committee etc.). Further, management positions must have to consider economic interests as a priority and strive for cost control. Hence they often lack the so-called “arm’s length” distance to their organisation which may impact the data subjects negatively.
A position further down in the organisation may still face conflicting roles as they may have to self-monitor their own activities and compliance. IT managers or marketing managers may decide on the essential area of IT- respectively of marketing issues and cannot be accepted as independent DPOs.
The supervisory authority in the UK, ICO, states that the DPO should be expected to manage competing objectives that could result in data protection issues taking a secondary role to business interests. Along the same lines, the French supervisory authority, CNIL, states that the function of the DPO cannot be both judge and jury.
From this rule of thumb, it can be discussed whether a number of additional roles would create a conflict of interest for the DPO. Most probably the chief legal counsel would also be excluded from holding the position of DPO as the role influences risk acceptance and use of personal data. Examples of additional conflicting functions:
- CIO – who defines that IT strategy, where the data resides, accessed by who and how and on what infrastructure to use;
- CISO – who create security strategies with certain prioritizations;
- Chief Legal Officer / Head of Legal – who balance the interests of their organisation against what is permissible and/or possible under applicable law;
- Heads of departments – including Head of Compliance – who determine how personal data is used within their teams to meet their business objectives.
GDPR Fines for DPO conflict of interest
In the latest enforcement case, a company in Belgium was fined EUR 50,000 because its DPO had a conflicting role as Director of Audit, Risk and Compliance. The Litigation Chamber of the Belgian supervisory authority (the “APD”), found that the Head of Compliance role created a conflict of interest and constituted an infringement of Article 38(6) of the GDPR.
The company argued that the Head of Compliance function was advisory and that the person did not take any decisions to the purposes and means of the processing of personal data.
The APD took a strict approach – the Head of Compliance had significant operational responsibility for data processing activities within audit and risk compliance. Being Head of Compliance implied that the person determined the purpose and means of the processing in that department. By combining the function of Head of Compliance with the DPO role, the company had no independent supervision.
The ADP chose to issue a fine, rather than to order an alternative DPO appointment, because of the conflict of interest, although unintentional, constitutes serious negligence by the organisation. You can read the full enforcement decision here (in French).
Also most interesting, the case was brought before the APD following a data breach at the company. In the course of investigating the data breach, the APD found the conflict of interest of the DPO.
How to avoid creating a conflict of interest
A DPO can be chosen from within internal resources, or fulfilled through a service contract by an external consultant. Irrespectively how the DPO function is fulfilled, it is considered best practice to:
- identify the positions within the organisations which would be incompatible with the function of DPO,
- draw up internal rules to avoid DPO conflict of interest,
- declare that the DPO has no conflict of interest with regard to its function as a DPO, as a way to raise awareness of the requirement of independence,
- include safeguards in the internal rules to ensure that in the event of a vacancy of the DPO function, that the vacancy is filled with the appropriate resource,
- to provide the DPO with a budget and ability to retain its own legal advice in case of an alternative opinion to the organisation is needed, and
- the DPO shall report to the highest management, preferably in the forum of a compliance committee with representation from the highest management (including the board of directors).
The external DPO, fulfilling the function based on a service contract as a consultant, can have a different conflict of interest. For example, the consultant must always be vigilant and observant on any relationships or situations with other clients and counterparties that may create a conflict of interest with the DPO appointment. It is also not advisable to have the external DPO represent their organisation in court in cases regarding data protection issues. The service contract should include an obligation on the consultant to observe any conflict of interest and regulate how to manage such issues during the appointment as DPO.
The DPO may still provide advice to the business on matters that are not the DPO’s regulated tasks in Article 39 (excluding risk assessment and DPIA advise, cooperation with the supervisory authorities and liaison with the data subjects).