Slovenia’s ICO defines DPO’s additional tasks that could result in a conflict of interests

23.11.2018

Paragraph 6, Article 38 of the General Data Protection Regulation (GDPR) allows the Data Protection Officer (DPO) to fulfil other tasks and duties (beside serving as the DPO) for the controller or processor, provided however, that fulfilling such additional assignments doesn’t amount to a conflict of interest.

The Article 29 Working Party Guidelines on Data Protection Officers (‘DPOs’) further explain that the DPO should not “hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data”. A list of typically or presumably conflicting positions within the organisation is also included in the Guidelines (page 16).

On November 9, 2018, the Slovenia’s Information Commissioner (Informacijski pooblaščenec) published on their website the Recommendations regarding the operations of the DPO, which include a list of tasks that, if performed by the DPO, would typically result in a conflict of interest and should therefore be avoided by the DPO. These include:

  • deciding upon the rights and obligations of an individual;
  • deciding on setting-up new filing systems, defining purposes and scope of processing;
  • deciding on organizational and technical measures for the security of the personal data;
  • deciding on engaging the processors and drafting of contracts between the organisation and the processors;
  • deciding on the transfer of personal data to third countries or international organisations;
  • carrying out of a data protection impact assessment (DPIA);
  • setting-up or updating a record of processing activities;
  • other tasks that include decision-making related to personal data where the DPO would find her/himself in a situation when she or he would have to scrutinise their own decisions.

In our view, the abovementioned examples support the often-overlooked fact that the DPO is not, and should not be, a (top) personal data operative, but rather a high-profile expert who should be spared from any day-to-day (processing) operations involving personal data.

 

Article provided by: Matija Jamnik (JK Group, Slovenia)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.