The regulation states that conducting an audit is the administrator's task. Does the DPO carrying it out not create a conflict of interest?

ANSWER

Pursuant to Article 39(1)(b) GDPR, the task of the data protection officer is to monitor compliance with the GDPR, other Union or Member State data protection provisions, and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and related audits. Conducting audits is precisely the means of fulfilling this obligation.

• Has the DPO developed (or systematically develops) a work plan, e.g. regarding training and audits?
• Was such a plan presented to the controller to allow an assessment of whether the DPO has sufficient resources and powers in the areas covered by the DPO's tasks?
• How often and in what manner does the DPO communicate the results of conducted audits to the controller?

The data protection officer should be impartial and independent from the controller, and may therefore conduct an internal audit; however, the DPO should receive substantial support from the controller, both in terms of the resources needed to carry out the audit and in terms of organising the audit itself.

A potential issue may arise in the part of the audit where the DPO conducting the audit is required to assess their own competences and actions in accordance with the GDPR requirements. In this regard, the best solution is to appoint another auditor, e.g. another person from the organisation or an external party.