Can a Data Protection Officer process personal data?
The Data Protection Officer (DPO) plays a strategic role in managing personal data security within an organization. Questions sometimes arise as to whether a DPO can personally process personal data. The answer is clear: yes, they can—provided that doing so does not compromise their independence.
The key issue, however, is whether a DPO may make decisions regarding the processing of personal data within the organization. Under GDPR, a DPO should not be directly responsible for managing data processing operations or making decisions about them. Their role is to provide advice, monitor compliance, and support the organization while remaining independent from operational activities involving personal data.
Let us examine what the regulations and practical experience say on this matter.
What does GDPR say?
According to Articles 37–39 of the GDPR, the Data Protection Officer performs an advisory and supervisory role in matters related to the processing of personal data. Their responsibilities include:
- informing the controller and processors about their obligations under data protection laws;
- monitoring compliance with GDPR and internal data protection policies;
- training employees within the organization;
- cooperating with the supervisory authority.
Importantly, GDPR provisions relating to the Data Protection Officer indicate that their duties should involve supporting the organization in the processing of personal data through advisory activities, compliance monitoring, and training. However, the DPO should not make key decisions regarding the purposes or methods of processing personal data within the organization.
This restriction exists to preserve the DPO's independence. The DPO cannot simultaneously act as the person responsible for operational management of data processing activities. Their role is to support the organization in fulfilling its GDPR obligations while avoiding conflicts of interest.
Can a DPO process personal data?
According to Article 38(6) of the GDPR, a DPO should not hold positions within the organization that involve making decisions about the purposes and methods of processing personal data. However, in other circumstances, they may process personal data.
This means that the DPO cannot perform management functions in areas such as IT, Human Resources, or Marketing, as doing so could create a conflict of interest.
It is important for the DPO to maintain independence, as this enables them to effectively carry out their supervisory and advisory responsibilities within the organization. Their role is to monitor GDPR compliance, support the organization, and provide guidance on data protection matters while avoiding situations that could compromise the objectivity of their work.
As Paweł Radecki, Compliance Expert at ODO 24, explains:
"A DPO is a guardian, not an operator. Their role is to advise and supervise, not to actively manage the processing of personal data."
Exceptions and practical considerations
In practice, there are situations in which a DPO may have access to personal data, for example during audits, when investigating data security breaches, or while providing advice to the organization. Such activities are an integral part of the DPO's supervisory role and fall within their responsibilities.
However, it is crucial that these activities do not create a conflict of interest. Under GDPR, a DPO should not hold positions involving decisions about the purposes and means of processing personal data. For this reason, they should not occupy management roles in areas such as IT, HR, or Marketing that could compromise their independence.
Examples of DPO activities:
- analyzing reported personal data breaches as part of cooperation with the supervisory authority;
- verifying compliance with GDPR policies during internal audits;
- providing consultations regarding personal data processing in new projects.
Statistics indicate that as many as 78% of organizations in Poland use outsourced DPO services, which helps minimize the risk of conflicts of interest and provides an independent perspective on data processing activities.
Scope of DPO services. Source: www.odo24.pl/oferta/outsourcing-funkcji-iod
How to avoid conflicts of interest?
It is essential that the DPO's role remains clearly separated from responsibilities involving decisions about the purposes and methods of processing personal data within the organization. The Data Protection Officer should perform a supervisory role, support the organization in monitoring GDPR compliance, and provide guidance on data protection matters while maintaining complete independence.
A good way to achieve this is through DPO outsourcing. This allows the organization to benefit from a specialist whose role is not burdened by potential conflicts of interest arising from other responsibilities within the company.
Summary
A Data Protection Officer (DPO) should not be responsible for making decisions regarding the purposes and methods of processing personal data within an organization. Their role is to monitor GDPR compliance, provide advice, and support the organization in matters related to personal data protection.
Such separation of responsibilities is essential for avoiding conflicts of interest and ensuring the DPO's independence.
If you would like to learn more about effectively implementing data protection principles within your organization, explore our GDPR implementation services.
