Can the Data Protection Officer be a member of the team receiving and handling reports?

Q: Can the Data Protection Officer be a member of the team receiving and handling reports?

ANSWER We must take into account the Guidelines on Data Protection Officers (WP 243) , in particular the provisions on potential conflicts of interest: " 3.5 Conflict of interests. Article 38(6) enables the DPO to perform "other tasks and duties". The article further provides that "the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. The requirement to avoid conflicts of interests is closely linked to the requirement to perform tasks i

ANSWER

We must take into account the Guidelines on Data Protection Officers (WP 243), in particular the provisions on potential conflicts of interest:

"3.5 Conflict of interests. Article 38(6) enables the DPO to perform "other tasks and duties". The article further provides that "the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

The requirement to avoid conflicts of interests is closely linked to the requirement to perform tasks in an independent manner. Although the DPO may hold other tasks and duties, they must not give rise to a conflict of interests. This means that the DPO cannot hold a position within the organisation that entails determining the means and purposes of the processing of personal data. Given the individual character of each organisation, this aspect should be analysed separately for each entity.

As a rule, senior management positions (chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR, head of IT) will be considered to give rise to conflicts of interests, but also lower-level positions if they participate in determining the purposes and means of processing. Furthermore, a conflict of interests may arise where an external DPO is asked to represent the controller or processor before a court in proceedings concerning personal data protection."

Theoretically, the DPO does not participate in determining the purposes and means of processing. On the other hand, there is a strong likelihood (especially in smaller organisations) that they will de facto create the whistleblower reporting procedure, or at least provide an opinion on it. Moreover, whistleblower reports may concern, among other things, breaches within the scope of EU acts relating to privacy and personal data protection and network and information system security. A situation may then arise in which the DPO, when handling a report, would be assessing their own work, which would give rise to a conflict of interests.

In summary, in my view it is not advisable for the DPO to be a member of the team handling reports.

Show all

Previous Next