In this article, we would like to present the most important parts of the status and duties of the Data Protection Officers (DPOs), mainly focusing on the DPOs participation in decisions, the provision of resources, the independence, the liability and possible sanctions, the obligation of confidentiality and finally, the conflict of interest.
1. Participation in decisions
According to the Article 38 (1) of GDPR – to ensure that the Data Protection Officer (hereinafter referred to as: DPO) is actively involved in the planning and implementation of activities relevant to data protection –the controller and the processor must ensure that the DPO „is involving in an appropriate and timely way in all matters relating to the protection of personal data”. This can be done in several ways, including the following:
- regularly inviting the DPO to management meetings, especially where decisions with data protection implications may be taken;
- the opinion of the DPO should be carefully taken into consideration. In case of disagreement, it is recommended to document why the controller and the processor do not act in the way recommended by the DPO;
- if a data protection or other incident has occurred, consult the DPO urgently;
- in the case of a controller or processor with departments, „data managers”, who have the best insight into their own team to effectively communicate information to the DPO and to replace him or her in his or her absence, may be appointed, if necessary.
As can be seen from the above, these obligations aim to facilitate a proactive approach by data controllers and processors to work with the DPO and comply with the GDPR rules. (the more attention the controller or processor pays to the involvement of the DPO, the more privacy expectations can be integrated into business processes). If an internal DPO is appointed, it is obviously easier to comply with the requirement to participate in decision-making. However, it should be noted that the excessive involvement of the DPO in decision-making may lead to a possible breach of the conflict of interest rules, which will be explained later (for example, if the organisation requests the opinion of the DPO on data protection issues in the context of the payment of an employee bonus). The participation in decision-making requirement is, however, more difficult to meet for an external DPO, as a trusted service provider who is not part of the controller or processor’s organisation cannot logically participate in these processes to the same extent as an employee. To deal effectively with such issues, it may be good practice for the controller or processor to establish in advanced internal rules or programmes that explicitly identify the subjects on which the DPO should be consulted.
2. Provision of resources
According to the Article 38 (2) of GDPR an obligation of the controller or processor to provide any necessary resources for the DPO;
- for fulfilling their tasks as defined in the GDPR;
- for accessing to personal data and data processing operations; and
- for maintaining the level of expert knowledge.
The objectives of the first two points typically involve technical, organisational and infrastructural measures, such as ensuring that the DPO has the time, space and equipment, support staff and access to IT systems necessary to carry out his or her work. Promotion of the maintenance of expertise also implies that the controller or processor encourages the DPO to participate in activities (for example: participation in professional forums, training courses) that lead to the development of his or her professional knowledge of the protection of personal data.
There may be practical differences between the appointment of an internal or an external DPO in the context of supporting a controller or processor to attend training, especially if the training costs some financial resources. If the controller or processor employs an internal DPO, the employer’s reimbursement of training costs (by the employer) may be determined on the basis of the Labour Code (provided that the training is justified for the performance of the employment contract. According to the Article 4 of Section 6:278. of Act V of 2013 on the Civil Code (hereinafter referred to as: „Act on the Civil Code”), at an external DPO the delegated may only claim reimbursement for training provided on the instructions of the controller or processor. It can be observed that in the case of the internal DPO, the costs of attending training initiated by the employee can be reimbursed, but in the case of the external DPO, this is only possible by individual agreement. When authorising training, in the same way as for the provision of other resources, the controller and processor –may decide, that not to support the training of the DPO on the grounds that its duration and cost are not proportional to the complexity and sensitivity of the organisation’s data processing operations.
According to the Article 38 (3) of GDPR, the controller and the processor must ensure that „the DPO must not accept instructions from anyone in connection with the performance of his or her duties”, these requirements apply to both internal and external DPO. These mean that a DPO is not obliged how to handle requests from data subjects, when consult the supervisory authority, or how to interpret a legal provision related to the processing and protection of personal data. However, the DPO must also respect other basic standards of behaviour in the performance of his or her duties; as an employee, he or she has to protect the employer’s interests, whereas the data protection lawyer acting for the client within an assignment contract, he or she is obliged to protect the client’s interests, but this does not mean that the independence of the DPO is overruled by these rules, because according to the Article 99 of GDPR, the independence of the DPO is entirely binding and directly applicable in all member states.
4. The liability of the DPO, sanctions
On the basis of Article 24 (1) and Article 38 (3) of GDPR, the DPO has no personal responsibility for compliance with the General Data Protection Regulation (the controller and the processor are directly responsible for compliance with and monitoring of data protection legislation). In order to promote the independence of the DPO, he or she is accountable only to the top management of the controller or processor and is protected against adverse consequences (he or she van not be sanctioned or dismissed in connection with the performance of his or her duties). Regardless of these rules, the controller and the processor have the right to terminate the employment of the DPO, and the possibility to apply liability rules for employees and assignees.
5. Obligation of confidentiality
According to the Article 38 of GDPR, „the DPO is subject to an obligation of confidentiality or data protection secrecy in the performance of his or her duties under Union or Member State law”. The Act on the Right of Informational Self-Determination on Freedom of Information, the Labour Code, the Act on the activities of attorneys-at-law in Hungary also contain confidentiality provisions that explicitly guarantee the confidentiality of the DPO‘s duties.
6. Conflict of interests
In general, the DPO may also perform other tasks in addition to those provided for in the General Data Protection Regulation, but under the Article 38 (6) of GDPR, the controller or processor must ensure that these tasks do not give rise to a conflict of interest. The existence of a conflict of interest must always be assessed on a case-by-case basis. However, it is a general rule, there is a conflict of interest where the DPO determines the purposes and means of the controller’s or processor’s (and in relation to activities carried out for their benefit) processing of personal data. For example: there is a conflict of interest in holding a senior management or departmental management position and in representing a client in court.
We shall refer to a decision of the Bavarian Data Protection Commissioner in 2016. According to this decision (under Bavarian law) the DPO cannot be the information technology manager of the organisation, as this would essentially mean that he would have to verify his own activities and could not perform his tasks independently. In a decision of 28 April 2020 of the Belgian data protection authority imposed a fine of 50 000 EUR on a data controller because of a conflict of interest on the part of the DPO appointed by the data controller. The reason for this was that the DPO also held a senior position in the company’s internal GDPR audit, compliance and risk assessment functions. This fact raised fundamental doubts as to the independence of the DPO‘s activities, as he had such a degree of influence on the data processing processes that he determined the purposes and means of the processing of personal data.
In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the Court of Justice of the European Union (CJEU) stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor.” The CJEU’s determination followed a request for a preliminary ruling made by the Federal Labour Court of Germany, regarding proceedings between X-Fab Dresden and its former data protection officer.
The former DPO, who had also performed the role of “chair of the works council,” was dismissed from the role of DPO in December 2017. X-Fab argued the former DPO’s dismissal was justified, citing “a risk of a conflict of interests” in performing both functions. “The CJEU found that Article 38, which states DPOs cannot be dismissed or penalized for performing tasks, does not prevent national laws from establishing additional protections against dismissing DPOs. However, these additional protections should not “compromise the principal objectives of the GDPR to maintain high levels of data protection.”
The Belgian data protection authority made another relevant decision in this topic, where they imposed a fine on an unnamed bank because its internal data protection officer was also the head of three departments with decision-making powers over the processing of personal data.
The DPO was simultaneously head of the Bank’s operational risk management, information risk management department and special investigation unit, which led to a conflict of interest. The Belgian DPA argues that these activities are not purely advisory and supervisory functions. A conflict of interest is assumed whenever the DPO can decide on the processing of personal data himself.
Lastly, we shall review a recent decision made by the Berlin Commissioner for Data Protection and Freedom, which fined a retail group €525,000 for violating Article 38(6) GDPR due to the conflict of interest of their DPO who independently monitored decisions made in their capacity as an executive of the company. The DPO was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and carried out orders. In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.
Depending on the size and organisational structure of the controller or processor, the following measures may be good practices to prevent conflicts of interest for DPO:
- identify positions that are incompatible with the position of DPO;
- to clarify the issue, introduce explicit internal rules to avoid conflicts of interest for DPO;
- indicate in the declaration that the DPO has no conflict of interest;
- in the case of an external delegate, to ensure that the DPO‘s recruitment file, job description, contract of engagement contain sufficiently precise and detailed checks to avoid any conflict of interest.
Do you have a question about data protection or the position of Data Protection Officer? Contact me!