Europrivacy has contributed to the public consultation concerning DPO’s guidelines issued by WP29, proposing some observations and a specific question.
In particular, comments concerned the “conflict of interest”, fundamental element of which the guidelines exemplify the features in instances where the DPO role is appointed to a natural person within the company organization, although omitting analogous specifications for the alternative instance where the role is assigned to a person who is external to company organization.
The text of the document provided is reproduced below.
Via e-mail to: JUST-ARTICLE29WP- SEC@ec.europa.eu and firstname.lastname@example.org
Re: Guidelines on Data Protection Officers (DPO) – additional comments
a) Guidelines on Data Protection Officers (‘DPOs’) at the point 2.4 “• DPO on the basis of a service contract”, make clear that “The function of the DPO can also be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organization” and that “In this latter case, it is essential that each member of the organisation exercising the functions of a DPO fulfils all relevant requirements of Section 4 of the GDPR (e.g., it is essential that no one has a conflict of interests).”
b) the information given to delimit the concept of “other tasks and duties” that may be in conflict of interest, is well suited to the case of the DPO as a leading figure of the owner / controller inside the business organization , and that
- both in regard to their general terms, expressed at the point 3.5: “The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.” and reaffirmed in the FAQ n° 10 in DPO Annex:” “What are the ‘other tasks and duties’ of a DPO which may result in a conflict of interests (Article 38(6))?”
- both as to the exemplification of the possible positions that assume form of a conflict of interest, choosen exclusively in the context of individuals internal to the business organization of the controller/processor: “As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.” (note 34);
c) on the contrary, such specifications and examples are not adduced for the case of the DPO external to the business organization of the controller/processor, with regard to which the only reference (point 3.5, fifth bullet) is extremely general: “Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors: (…) to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally. “.
Given the above, please:
provide some explanatory indications relative to the specific case of the DPO external to the business organization of the controller/processor, adducing examples of “other duties and tasks” that may be in a conflict of interest also for this hypothesis, in particular when the supplier of services appointed as DPO has or had a previous consultancy or assistance relationship with the controller/processor.
Maria Roberta Perugini
All subscribers are Europrivacy.info’s Contributors.