Europrivacy has contributed to the public consultation concerning DPO’s guidelines issued by WP29

By | Monday January 30th, 2017

Europrivacy has contributed to the public consultation concerning DPO’s guidelines issued by WP29, proposing some observations and a specific question.

In particular, comments concerned the “conflict of interest”, fundamental element of which the guidelines exemplify the features in instances where the DPO role is appointed to a natural person within the company organization, although omitting analogous specifications for the alternative instance where the role is assigned to a person who is external to company organization.

The text of the document provided is reproduced below.

 

Via e-mail to: JUST-ARTICLE29WP- SEC@ec.europa.eu and presidenceg29@cnil.fr

Re: Guidelines on Data Protection Officers (DPO) – additional comments

 

Dear Sirs,

given that:

a) Guidelines on Data Protection Officers (‘DPOs’) at the point 2.4 “• DPO on the basis of a service contract, make clear that “The function of the DPO can also be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organization” and that “In this latter case, it is essential that each member of the organisation exercising the functions of a DPO fulfils all relevant requirements of Section 4 of the GDPR (e.g., it is essential that no one has a conflict of interests).

b) the information given to delimit the concept of “other tasks and duties” that may be in conflict of interest, is well suited to the case of the DPO as a leading figure of the owner / controller inside the business organization , and that

  • both in regard to their general terms, expressed at the point 3.5: “The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.” and reaffirmed in the FAQ n° 10 in DPO Annex:” “What are the ‘other tasks and duties’ of a DPO which may result in a conflict of interests (Article 38(6))?”
  • both as to the exemplification of the possible positions that assume form of a conflict of interest, choosen exclusively in the context of individuals internal to the business organization of the controller/processor: “As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.” (note 34);

c) on the contrary, such specifications and examples are not adduced for the case of the DPO external to the business organization of the controller/processor, with regard to which the only reference (point 3.5, fifth bullet) is extremely general: “Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors: (…) to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally. .

 

Given the above, please:

provide some explanatory indications relative to the specific case of the DPO external to the business organization of the controller/processor, adducing examples of “other duties and tasks” that may be in a conflict of interest also for this hypothesis, in particular when the supplier of services appointed as DPO has or had a previous consultancy or assistance relationship with the controller/processor.

 

Best regards,

 

Giancarlo Butti

Paolo Calvi

Alessandro Crepaldi

Giampaolo Franco

Sergio Fumagalli

Chiara Giorgini

Biagio Lammoglia

Laura Maretta

Maria Roberta Perugini

Attilio Rampazzo

Andrea Reghelin

Giulio Spreafico

Silvia Stefanelli

 

All subscribers are Europrivacy.info’s Contributors.

Category: Data Protection Officer

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.