The GDPR conceives of the ideal type for a data protection officer (DPO) as a sort of liberal intellectual . They answer only to top management, dispose over ample resources, are professionally independent, and have no managerial responsibility vis-à-vis the business plan. But is all of this compatible with holding other roles in an organisation? The GDPR’s answer (Article 38, para. 6) is “maybe”, and it all hinges on avoiding a conflict of interest.
The tension comes from the reality that corporations do not usually employ liberal intellectuals (they might occasionally engage them as consultants, but that’s beside my point here). Corporations have hierarchies, reporting matrices, and managers who are responsible for their business areas. Consequently, inclinations to integrate DPOs, along with other second-line control functions, into the organisational logic—as opposed to having them float around it—are natural and largely understandable. Certain experiments for such integration have, however, not proven successful.
Managing Director as DPO
Perhaps the shortest route to failure has been the managing director (or indeed any executive manager) as DPO—a solution which has drawn considerable focus from regulators. Probably the most expensive lesson to date comes from the Berlin Data Protection Commissioner, which in 2022 imposed a walloping €525,000 fine on a German e-commerce company whose DPO also served as the managing director of its subsidiaries.
N.B. that already in 2016 in their guidance document on DPOs (wp243), the Article 29 Working Party (the forerunner to the European Data Protection Board) very clearly cautioned against this practice:
“As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing” (p.24)
… which, of course, an exec inevitably will.
Compliance Officer as DPO
To move on from the obviously wrong to the more nuanced and clearly more prevalent: DPO roles often include other responsibilities from the compliance domain. As I also argued in my 2024 paper at ELTE Law (“A compliance-program adatkezelése” / “The Data Processing of Compliance Programmes”), this creates an issue around internal controls:
“when, in the course of the administration of records, an audit or an investigation, the compliance officer identifies a need for personal data processing, the DPO should monitor and control this […] [T]he compliance function will leave the role of the control function and become a business function; while the control function will be exercised by the DPO. If the same department or, in the case of a smaller company, perhaps the same employee, has to wear these two ‘hats’ at the same time, it is almost certain that one of these aspects will be compromised.” (p.9, translated from Hungarian)
This year has already been rich in pertinent enforcement actions:
- In March, in a cross-border case from Norway-Denmark-Sweden, the Norwegian regulator found it problematic that the DPO did not report to the highest management level, and that their tasks were mixed with those of a corporate lawyer.
- In May, Toyota Bank Polska S.A. was fined € 132,000, which at least partially had to do with their DPO being buried in their IT department, at subject matter expert-level.
Two Belgian cases, from 2020 and 2021—both of which resulted in fines by the national regulator (ADP)—also warrant a mention:
- The case of Proximus SA, where the DPO was also head of the compliance and audit department (fine: €50,000)
- And of a bank whose DPO headed up three other departments: Operational Risk Management, Information Risk Management, and the Special Investigation Unit (fine: €75,000)
What is the Way Out?
The obvious one is simple: a DPO function that does not dabble in anything else, and reports directly to the Chairperson (/CEO &c.) If resources do not allow this, or if the organisation is so keen to utilise the DPO’s transferable skills that it is willing to compromise on to-the-letter GDPR compliance, this might not be completely unfeasible. The key to this, is to remove the DPO—ideally through preventative controls—from situations in which they would oversee data processing on behalf of the controller (=the conflict of interest).
If you’re looking for inspiration (and you understand GDPR Danish), a recent podcast by the Danish Data Protection Agency (Datatilsynet) provides some worthwhile food for thought. I also have a few thoughts of my own to share after the summer break—including why you should care even if you do not see regulatory enforcement as an imminent risk. Hope to see you back here then.
Leave a comment