Here come the answers of the Privacy Aythority to frequently asked questions asked about the DPO (ex art. 37 Reg UE 2016/679)
Below the link in both Italian and English
http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/5930300
http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf
Please find here below the answer n. 10 that in my opinion integrates and responds to the discussion that followed the post by colleague Stefanelli “Who can do Data Protection Officer?”
10 What are the ‘other tasks and duties’ of a DPO which may result in a conflict of interests (Article 38(6))? The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing
Enjoy the reading!
Laura Marretta