The Article 29 Working Party adopted three sets of guidelines in its December 2016 Plenary Meeting including Guidelines and FAQs on the right to Data Portability, Guidelines and FAQs on the Lead Supervisory Authority, Guidelines and FAQs on Data Protection Officers (DPO).
These Guidelines are particularly useful in light of the GDPR, which makes it mandatory for some sets of controllers and processors, specifically public authorities and bodies and organizations that monitor data “systematically and on a large scale, or that process special categories of personal data on a large scale” to designate a Data Protection Officer.
In the past, the Article 29 Working party has stressed the importance of the DPO in terms of compliance and accountability and these timely Guidelines which are crucial for GDPR compliance are warmly welcomed on my part.
Earlier this month I wrote about the Bavarian Data Protection Authority’s decision to fine a company for having an IT manager who also acted as the internal Data Protection Officer of the company.
Sections 3.3 Instructions and ‘acting in an independent manner’ and 3.5 Conflict of interests of the Guidelines on Data Protection Officers provide us with particular guidance concerning the case.
“3.3. Instructions and ‘acting in an independent manner’
Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers/processors are required to ensure that the DPO ‘does not receive any instructions regarding the exercise of [his or her] tasks.’ Recital 97 adds that DPOs, ‘whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner’.
This means that, in fulfilling their tasks under Article 39, DPOs must not be instructed how to deal with a matter, for example, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law. The autonomy of DPOs does not, however, mean that they have decision-making powers extending beyond their tasks pursuant to Article 39. The controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance If the controller or processor makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO should be given the possibility to make his or her dissenting opinion clear to those making the decisions.”
“3.5. Conflict of interests
Article 38(6) allows DPOs to ‘fulfil other tasks and duties’. It requires, however, that the organisation ensure that ‘any such tasks and duties do not result in a conflict of interests’
The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors:
· to identify the positions which would be incompatible with the function of DPO
· to draw up internal rules to this effect in order to avoid conflicts of interests
· to include a more general explanation about conflicts of interests
· to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement
· to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally.”
It can be concluded that the Article 29 Working Party, in these Guidelines, confirms the decision of the Bavarian DPA, further demonstrated in FAQ 10 of the WP243 ANNEX – FREQUENTLY ASKED QUESTIONS which reads:
“What are the ‘other tasks and duties’ of a DPO which may result in a conflict of interests (Article 38(6))?
The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case. As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.”
In order to successfully fulfil the requirement of independence according to the position taken by the Article 29 Working Party and the Bavarian DPA, companies will either need to appoint:
a. a full-time Data Protection Officer; or
b. “Article 38(6) allows DPOs to ‘fulfil other tasks and duties’. It requires, however, that the organisation ensure that ‘any such tasks and duties do not result in a conflict of interests”; or
c. appoint an external one.