What are the other functions of the DPO?

It's no great revelation to say that the Data Protection Officer (DPO) can perform other functions. This is stipulated in Article 38 of the Data Protection Regulation. Otherwise, small and medium-sized businesses could have serious difficulties in meeting the regulatory costs of having a different advisor for each specific regulation.

But as is often the case in most situations, there are limits, and in this case, the limit is that this performance does not cause a conflict of interest.

Colloquially, we can define a conflict of interest as a situation in which a person or entity may make a decision influenced by reasons other than those strictly necessary to perform their job. For example, hiring a supplier in which they own shares or that benefits a family member, even though they know it's not the best option or is more expensive. In that example, that professional would be harming the company that hired them to benefit the family member.

Little by little, the various data protection authorities and courts have been defining which activities do and do not pose a potential conflict of interest. But perhaps the most notable opinion, given its immediate publication since the approval of the GDPR, is the guidance issued by the former Article 29 Working Party.

This guide tells us that the DPO cannot hold a position within the organization that requires determining the purpose of personal data processing. Imagine, it would be as if the DPO decided on the marketing actions to be carried out with the customer database. The correct task, in this example, would be for the Marketing department to develop the campaign and consult with the DPO on what requirements must be met for its implementation. The DPO, in their advisory role, could indicate what is necessary, or even, in the worst case, declare that the campaign does not comply with regulations. However, the decision-making or the risk of launching that campaign, even with an unfavorable opinion from the DPO, rests with the organization (the controller), not the DPO.

As a basic rule, this guide tells us that there are positions that involve a conflict of interest: such as CEO, COO, CFO, Marketing, HR, or IT, but also other roles with lower responsibilities in the organization that also determine these purposes.

It's also a matter of conflict for the DPO to represent the organization in court in the event of GDPR incidents. This makes perfect sense; remember, the Data Protection Officer also has a mediating role, which in some cases may involve taking sides with the affected party.

Let us remember that the principle of proactive responsibility It is up to each organization to estimate which position is most appropriate for the DPO to occupy, whether internal or external, full-time or with other functions, in one area or another... Therefore, although we have guidelines, there is no magic formula that says here if it complies and here it doesn't.

Special mention should be made of the Compliance Officer, who ensures that organizations operate within legal and ethical boundaries, due to the similarities they often have with the DPO. Specifically, the advisory role, the necessary guarantee of independence, the need for sufficient resources, and access to senior management.

Well, even though they are very similar figures and although a DPO can perform the functions of a Compliance Officer, conflicts of interest may also arise, for example, when better compliance with the GDPR regulations may entail a risk of compliance with other conflicting regulations, such as the prevention of money laundering, which, unlike the minimization principle In the GDPR, it implies that the more customer data is known, the better the degree of compliance.

In conclusion, other functions can be performed, within the limits imposed by the GDPR, and without a formula that applies to all organizations, each organization will decide, based on the principle of proactive responsibility and depending on the context, whether the performance of these other functions may entail a conflict of interest and, if so, what safeguards should be adopted to prevent such conflicts.

Fountain: https://ec.europa.eu/newsroom/article29/items/612048/en

If you would like more information about Regulatory Compliance and Data Protection, visit our blog

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

I give my express consent and accept the Privacy Policy.

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.