Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 5.10 What are the safeguards to enable the DPO to perform her/his tasks in an independent manner? What does ‘conflict of interests’ mean?
Several safeguards exist in order to enable the DPO to act in an independent manner:
-
no instructions by the controllersor the processors regarding the exercise of the DPO’s tasks
-
no dismissal or penalty by the controller for the performance of the DPO’s tasks
-
no conflict of interest with possible other tasks and duties
The other tasks and duties of a DPO must not result in a conflict of interests. This means, first, that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.
Source: Article 38(3) and 38(6) of the GDPR
