To resolve this doubt, which is very common, we must first go to the article 39 of the General Data Protection Regulation (hereinafter, RGPD) on the functions of the Data Protection Officer (hereinafter DPD) where it is established that he will supervise compliance with the provisions of the applicable regulations on data protection, as well as policies relating to the assignment of responsibilities, awareness and training of personnel involved in processing operations and, finally, the corresponding audits.

As we can see, the GDPR does not indicate what role the DPO plays in audits. However, in the article 38 It does tell us that the DPD can play other functions and tasks, as long as it is guaranteed that said tasks do not give rise to a conflict of interest.

Therefore, the key is to ask ourselves whether the fact that the DPO intervenes in an audit could constitute a conflict of interest situation.

Thus, we know that there are companies in which, depending on their size and nature, a data protection department has been created that executes the tasks linked to this function, while the DPD only supervises. In other cases, the DPO (whether a single person or several) is responsible for running compliance programs for the data controller. In this last scenario, not only is there a greater risk of conflict of interest, but it also makes no sense for the person in charge of preparing and executing data protection compliance programs to audit themselves, since if there are Errors or deficiencies will be more difficult to detect.

3 lines model

Secondly, to resolve this issue, we can also mention the so-called “3 lines model”, according to which:

The first line It is composed of management control, where each operational or functional area of the organization implements the management of its own risks and controls.
The second line It includes the functions of risk supervision, controls and compliance with established policies and standards.
The third line, composed of Internal Audit, provides, among others, objective supervision over the first two lines of defense.

Although the three lines are related to each other and must coordinate and cooperate with each other, the teams of the second and third lines of defense must never coincide.

The natural and logical location of the DPD would be in that 2nd line of defense, regardless of the tasks entrusted to him.

In summary, it is necessary to define clearly what powers the DPD has regarding the supervision of data protection compliance and which ones the Internal Audit area will functionally exercise. Let us not forget that the DPD is a more function of the organization and that it must also be audited and controlled in its functions, without this implying or possibly implying a loss of independence for said figure.

For all this, we can conclude that the DPD could audit its own organization, since there is no rule that prevents it. However, you should not do this, to avoid conflict of interest situations, give a different point of view to the company and make it easier to detect whether the tasks carried out under its direction are being carried out correctly.

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

*I give my express consent and accept the Privacy Policy.

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad