Share on social networks!

Can DPD and Security Manager coincide?

Necessarily starting from the existing differentiation between information security and protection of personal data, the Legal Office of the Spanish Data Protection Agency (AEPD), in its legal report 2018-0170, considers that The figure of the data protection officer must be differentiated (hereinafter DPD) and the security manager (hereinafter RSEG) for the following reasons:

Reasons to differentiate the figure of the data protection officer and the security manager

1.- The segregation of functions included in article 10 of Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration, it would also be extendable to the figure of the DPD since this is provided for in the Regulation General Data Protection in its article 38.3: “The controller and the processor shall ensure that the data protection officer does not receive any instructions regarding the performance of these functions.”.

Unlike the RSEG, which receives orders from the person responsible for the information, the DPD cannot receive instructions for the exercise of its functions and, therefore, will act with total independence.

2.- The role of RSEG is to guarantee information security while The role of the DPD can be summarized as guaranteeing the rights and freedoms of the people whose data is processed., independently and reporting directly to the highest hierarchical level of the controller or processor.

It is, therefore, advisory functions different in their principles and scope, which is why these functions respond to differentiated arrangements. Consequently, the RSEG provides guidelines aimed at guaranteeing the security of information, whether personal data or simply information of Public Administrations, while the guidelines that the DPD must provide (considering 77) are aimed at guaranteeing the rights and freedoms of the people and not the security of information.

In conclusion, unlike the RSEG, who can receive instructions from the IT manager, the DPD should not receive instructions in the performance of its duties. The appointment of the DPD over the same person or entity that holds the status of RSEG would mean denying the principle of independence and segregation of functions of the ENS (art. 10) and a denial of the principle of independence determined by the RGPD (Art. 38.3).

Notwithstanding the above, the AEPD has recognized, as an exceptional case, the possibility that the DPD coincides with the RSEG in those organizations that, due to their size and resources, could not observe said separation, as long as such decision is justified and these incompatibilities are not compromised. 

IT Lawyer | Governance, Risk & Compliance | Privacy

Subscribe to our newsletter to stay up to date with all the news

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad
Blog Master Dpo

Leave a comment