Can a person serving as DPO also be employed in another role with the same controller? When does a conflict of interest arise?

ANSWER

The Article 29 Working Party (now the European Data Protection Board) addressed possible conflicts of interest in its guidelines, available at: https://archiwum.uodo.gov.pl/pl/3/1348. On page 20 of that document, the following position can be found:

"The requirement that there must be no conflict of interests is closely linked to the requirement that the DPO performs their tasks in an independent manner. Although the DPO is permitted to hold other functions, those additional tasks and duties may be assigned only where they do not give rise to conflicts of interests. This means, above all, that the DPO must not hold a position within the organisation that would give them access to information enabling them to determine the purposes and means of the processing of personal data. Given the specific organisational structure of individual organisations, these issues must be resolved on a case-by-case basis. In general, positions within an organisation that may give rise to a conflict of interests may include senior management roles (such as chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR, or head of IT departments), but also other positions at lower levels of the organisational structure if holding those positions or performing those functions makes it possible to determine the purposes and means of processing."

We write more about appointing a DPO and the possible conflict of interest involved in the article: "Data Protection Officer still in demand".

Determining whether a conflict of interest would arise in the described case would require a detailed review of the scope of competence of the person holding the additional position. In general, to avoid a conflict of interest, the DPO must not be "decision-making" with regard to determining whose data, what data, and in what manner will be processed.