ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR outsourcing in business

GDPR outsourcing in business

Can a Data Controller also be a Data Protection Officer?

In the era of GDPR (General Data Protection Regulation), many organizations wonder whether certain data protection roles can be combined. One frequently asked question is: can a Data Controller (ADO) also serve as a Data Protection Officer (DPO)?

Definitions and roles – ADO and DPO

ADO

Data Controller (ADO) is the entity that determines the purposes and means of processing personal data. The controller is responsible for ensuring that processing activities comply with applicable regulations and that personal data is properly protected.

DPO

Data Protection Officer (DPO) is a person appointed by the Data Controller or a data processor to monitor compliance with data protection regulations, provide advice on data protection matters, and cooperate with supervisory authorities.

GDPR requirements

According to Article 38(6) of the GDPR, a DPO may perform other tasks and duties in addition to those related to data protection, provided that these additional responsibilities do not result in a conflict of interest. This means that a DPO should not hold a position that involves determining the purposes and methods of processing personal data.

Conflict of interest

Serving as both the Data Controller and the Data Protection Officer can create a conflict of interest. The Data Controller is responsible for making decisions regarding the processing of personal data, while the DPO is responsible for monitoring those activities and advising on compliance with data protection laws. Combining these roles makes it impossible to provide objective oversight and independent assessment of data processing operations.

"Separating the roles of the Data Controller and the Data Protection Officer is essential to maintaining independence and objectivity in data protection processes." – Tomasz Ochocki, Vice President of the Management Board, ODO 24.

Recommendations

To ensure GDPR compliance and avoid potential conflicts of interest, we recommend:

  • appointing an independent DPO who does not perform other duties that could compromise their independence;
  • considering outsourcing the DPO function to an external provider, which can enhance objectivity and professionalism in data protection matters.
DPO outsourcing – when is it worth considering?

DPO outsourcing – when is it worth considering? Source: www.odo24.pl/oferta/outsourcing-funkcji-iod

It is also important to remember that GDPR implementation is a process that requires commitment and appropriate resources. Professional GDPR support can help organizations meet legal requirements and ensure the security of personal data.

Summary

Although GDPR does not explicitly prohibit combining the roles of Data Controller and Data Protection Officer, in practice it is not possible to perform both roles without creating a conflict of interest. For this reason, it is recommended that these functions remain separate in order to ensure independence, objectivity, and effective oversight of personal data processing activities.

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

Szkolenia

Dla IOD i pracowników - otwarte, zamknięte, e-learning

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Can a Data Controller also be a Data Protection Officer? | ODO 24 | ODO 24