ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR outsourcing in business

GDPR outsourcing in business

Can a DPO perform other duties?

The role of a Data Protection Officer (DPO)—although not mandatory in every organization—has become an important element of GDPR compliance, particularly in companies that process large amounts of personal data. Despite the widespread use of DPOs, one question continues to raise doubts: can a DPO combine their responsibilities with other duties within the organization?

Regulations – what does the law say?

According to Article 38(6) of the GDPR, a Data Protection Officer must not perform any duties or tasks that could result in a conflict of interest. It is clear that a DPO must operate independently, but where does that independence begin and end?

It is important to remember that GDPR does not formally prohibit assigning additional responsibilities to a DPO. However, those responsibilities must not interfere with the DPO's supervisory role.

For example, a DPO may support the HR or marketing department by advising on how personal data should be processed in compliance with GDPR. They may also recommend appropriate technical and organizational measures to protect personal data. Such guidance contributes to the effective implementation of GDPR requirements and benefits the organization as a whole.

However, it is crucial that the DPO does not become directly involved in making decisions regarding data processing operations. Doing so would place the DPO in an operational role and could create a conflict of interest.

DPO outsourcing – outsourcing the Data Protection Officer function

DPO outsourcing – outsourcing the Data Protection Officer function

A good example of duties that could conflict with DPO independence would be assigning them full responsibility for GDPR compliance implementation or supervision of the day-to-day operations of individual departments. In such cases, the DPO becomes both the supervisor and the executor, which is inconsistent with the purpose of the role.

Conflict of interest – what should organizations watch for?

The primary risk associated with assigning additional responsibilities to a DPO is the possibility of a conflict of interest. For example, a situation in which a DPO is responsible for monitoring compliance while simultaneously managing the IT department could compromise their impartiality. In effect, the DPO would be auditing and supervising their own decisions and activities.

In 2020, the European Data Protection Board (EDPB) reminded organizations that a conflict of interest may arise when a DPO combines their duties with responsibilities involving decisions about the purposes and means of processing personal data.

How can the risk be minimized?

Many organizations choose DPO outsourcing. In this model, the DPO is an external professional, allowing for a clear separation of responsibilities and significantly reducing the risk of conflicts of interest. Companies specializing in DPO outsourcing (such as ODO 24) provide comprehensive support, ensuring compliance with GDPR requirements without placing additional demands on internal resources.

"Independence and the absence of conflicts of interest are fundamental elements of the DPO role—this is emphasized in European regulatory guidance." – Tomasz Ochocki, Vice President of the Management Board, ODO 24.

What are the consequences?

Failure to properly separate the responsibilities of a Data Protection Officer can have serious financial consequences. One example is a €525,000 fine imposed by the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) on a company belonging to a local retail group due to a conflict of interest involving its DPO.

Remember!

Implementing appropriate procedures and avoiding the combination of conflicting roles helps minimize the risk of such situations.

In what situations are additional duties permitted?

A DPO may take on additional responsibilities provided that they:

  • are not incompatible with the DPO's independence;
  • do not require making decisions about how personal data is processed;
  • do not involve supervising activities that the DPO personally performs.

This structure helps establish clear boundaries between responsibilities that a DPO may undertake and those that should remain outside the scope of the role.

GDPR implementation and ongoing compliance support – who can help?

In organizations with more complex structures, the increasing complexity of data protection regulations means that not only the appointment of a DPO, but also GDPR implementation and ongoing GDPR compliance support, are increasingly handled with the assistance of external specialists. This approach helps organizations maintain legal compliance while ensuring operational efficiency.

DPO outsourcing – outsourcing the Data Protection Officer function

Summary

The fundamental principle of GDPR is clear: a Data Protection Officer must act independently and without conflicts of interest. Combining the DPO role with other responsibilities requires a carefully designed organizational structure and a well-planned division of duties. Failure to maintain this separation can create not only financial risks but also reputational risks—risks that are increasingly regarded as some of the most significant threats facing modern organizations.

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

Szkolenia

Praktyczny kurs IOD (32h) online

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Can a DPO perform other duties? | ODO 24 | ODO 24