There is plenty of guidance around the designation of a Data Protection Officer, the duties that go with the role and the obligations of the organisation around the set up of the role (independence, adequate resource, access to senior management). A lot of this information was published before GDPR came into effect. The Article 29 Working Party “Guidelines on Data Protection Officers (“DPOs”)” was published in April 2017 (later endorsed by the European Data Protection Board) for example. However, since GDPR took effect the main input to the DPO role has been in the form of legal cases brought by national supervisory authorities.
In 28 April 2020, the Belgian data protection authority (the “APD”) imposed a €50,000 fine on a Belgian company for non-compliance with GDPR requirements to appoint a Data Protection Officer ensuring that he or she was not conflicted in the role. The DPO’s other role as the Director of Audit, Risk and Compliance created a conflict of interest and therefore constituted an infringement of Article 38(6) of the GDPR in the view of the APD.
This decision is worrying as the DPO did not occupy any of the senior management roles that are highlighted in the Article 29 working party guidance 2017 as likely to give rise to a conflict of interest. In this case the DPO’s other role was Director of Audit, Risk and Compliance, a seemingly likely candidate for a DPO appointment.
The ADP decided that a person having responsibility for the Audit, Risk and Compliance departments implied that he or she determined the purposes and means of the processing of personal data in those departments leading to a conflict of interest.
In 2021 the Bulgarian Commission for Personal Data Protection (the “CPDP”) considered whether the DPO could be a legal entity, a limited company, rather than a living person. The CPDP decided that the DPO must be a real person as the wording in GDPR clearly anticipates that this will be the case (an argument supported by a variety of quotes from GDPR). It was confirmed that the DPO could be appointed from outside the organisation and could see benefits in combining the individual skills, expertise and experience of team members in a consultancy or compliance service provider. However a specific individual should be appointed as DPO and act as the point of contact for the specific controller or processor organisation.
According to the CPDP, the abovementioned arguments do not exclude the possibility of legal entities or organizations providing services related to the functions of DPO. When the functions of the DPO are performed under a service agreement with a legal entity or organization, the individual skills, expertise, and experience of the team members can be combined, producing a positive effect with different individuals serving their customers more efficiently. However, although legal entities and other organizations may perform the functions of the DPO based on a service agreement, they are obliged to appoint a specific individual as a DPO and point of contact for the specific controller or processor of personal data.
The decision whether or not to appoint a DPO should be reviewed regularly and should also be considered as part of any Data Protection Impact Assessments. From time to time it is also recommended that organisations review the set up of the DPO role as circumstances will change over time. The issues to focus on include identifying the specific job roles at the organisation that may be incompatible with the DPO role and, separately, consider whether the other, current, duties of any incumbent DPO could be incompatible with the role. Check whether the DPO is adequately resourced and that he or she has access to report to senior management. These checks should be carried out by someone other than the DPO although he or she will be involved in discussions and provide an input. It will be important to demonstrate that the enquiries have been conducted with a degree of independence. Decisions about what actions are needed based on the findings should also include the DPO but are likely to need the input of senior management touching, as the role does, on management structure and allocation of resources.
Mandy P Webster, Data Protection Consultant