Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 3.5. Conflict of interests
Article 38 (6) allows DPOs to ‘fulfil other tasks and duties’. It requires, however, that the organisation ensure that ‘any such tasks and duties do not result in a conflict of interests’.
The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.
Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors:
-
to identify the positions which would be incompatible with the function of DPO
-
to draw up internal rules to this effect in order to avoid conflicts of interests
-
to include a more general explanation about conflicts of interests
-
to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement
-
to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally