The DPO and conflicts of interest: What (management) functions are compatible with the DPO?



In a decision of April 28, 2020, the Belgian Data Protection Authority (DPA) imposed a fine of €50,000  in a case where a data protection officer (DPO) also performed an incompatible function. According to the DPA, a DPO cannot hold a (managerial) position within the organization in which he or she can determine the purpose and/or means of the processing of personal data.

However, almost exactly one year later, in a decision of April 26, 2021, the DPA seems to have adopted a more pragmatic approach on the functions performed by a DPO within an organization.

Below are the most important takeaways of both decisions.

Initial position of the DPA: very strict delineation

The 2020 case was brought before the DPA following a data breach notification. When investigating the data breach, the DPA discovered the conflict of interest of the DPO, who was also acting as the director responsible for audit, risk and compliance within the company.

In accordance with article 38.6 GDPR, the DPO may fulfil other tasks and duties, but the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interest”.

While a conflict of interest must be evaluated on a case-by-case basis within the structure of the specific organization, the DPA refers to the Guidelines of the Article 29 Working Party adopted on December 13, 2016, on Data Protection Officers (as amended). The Guidelines establish that the tasks and duties of a DPO must not result in a conflict of interest, meaning that the DPO cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data. Unacceptable functions may include:

  • Formal approach: senior management positions such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of human resources or head of IT departments;
  • Functional approach: roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing.

In addition, the DPA adds that a conflict of interests may also arise if an external DPO is asked to represent the controller or processor before the courts in cases involving data protection issues.

The DPA decided that by combining the function of DPO and director responsible for audit, risk and compliance within the company, this inevitably entails that this person determines the purpose and means for the processing of personal data and that no independent supervision was possible. The combination thus represented a clear conflict of interest (formal approach).

DPA changes course: new insights following a decision of April 26, 2021

The previous decision was widely commented and criticized, especially the finding that the function of the head of a department is almost by definition incompatible with the role of DPO due to lack of independent supervision, even when the latter would have a de facto advisory function.

In its 2021 decision, the DPA accepted that the DPO role could be combined with a role as chief information security officer (“CISO”) and has taken a more functional approach overall, i.e.:

  • The CISO performs risk analyses – as head of the department – and presents suggested mitigations measures to the management.
  • Management decides whether or not to adopt the suggested measures;
  • Security measures are not within the scope of the function of the CISO.

With this decision, the DPA has taken a more functional approach to conflicts of interest of leading individuals / managers as DPO within their organizations. Notwithstanding the foregoing, it is advisable to keep the following rules of thumb in mind:

  • Identify the positions that could be incompatible with the function of DPO (formal and functional approach);
  • Draw up internal rules in order to avoid conflicts of interests;
  • Explain to your entire organization that the DPO has no conflict of interests with regard to their function as a DPO, as a way of raising awareness of this requirement;
  • Ensure that the job description of the DPO is sufficiently specified and detailed, even if this position is normally filled internally.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.