Can a director be a data protection officer?
ANSWER
As a general rule, individuals holding managerial positions who determine the purposes and means of processing personal data should not perform the role of DPO within the controller's entity. Such an arrangement may give rise to a conflict of interests.
This position has been expressed in legal doctrine:
- The concept of conflict of interests should be interpreted with reference to the tasks of the data protection officer and their independence in performing them, and not with reference to the broadly understood interests (e.g., economic) of the data controller (which in certain situations may not be aligned with compliance with GDPR provisions). Legal literature indicates that "a conflict of interests arises in a situation where it is not possible to reconcile the proper performance of the tasks of the data protection officer with the performance of other tasks, because between those tasks there exists (or may exist) an incompatibility (contradiction) that makes it impossible to perform them properly" (P. Fajgielski, General Data Protection Regulation, p. 437)
- As the Article 29 Working Party stated (Guidelines WP 243 rev. 01, p. 20), the requirement not to give rise to conflicts of interests is closely related to the requirement to perform tasks in an independent manner. As the fundamental issue in this regard, the Article 29 Working Party indicates that "the DPO cannot hold a position within the organisation that would give them access to information allowing them to determine the purposes and means of processing personal data.
- As the Article 29 Working Party further argues, as a general rule, senior management positions are considered to give rise to a conflict of interests (such as chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of marketing department, head of human resources department, head of IT department), but also other positions at lower levels of the organisational structure, if holding those positions or performing those functions provides the possibility of determining the purposes and means of processing.
On this issue, UODO has also expressed its position on numerous occasions – the links below provide access to interpretations of the concept of "conflict of interests".
