Can a DPO simultaneously fulfill the function of a classified information protection officer?
The GDPR does not explicitly prohibit the combination of the two functions. However, in each specific case, it is necessary to make a thorough assessment to ensure that all conditions are met to guarantee that the DPO independently and properly performs his or her tasks.
First, the above solution must not affect the proper placement of the DPO within the structure of the controller and the performance of his or her tasks independently. In terms of ensuring compliance with personal data protection regulations, the DPO must not be subordinate to or receive instructions from any person other than the head of the organisational unit or the individual who is the controller. An analogous requirement applies to a classified information protection officer, who, according to Article 14(2) of the Act of 5 August 2010 on the Protection of Classified Information, should report directly to the head of the organizational unit in which he performs his or her duties.
Second, combining these functions must not lead to a conflict of interest (Article 38(6) GDPR). The occurrence of conflicting priorities could result in neglect of the duties performed by the DPO. Therefore, in each specific situation, it should be carefully analysed (as, by the way, in the case of combining the function of the DPO with any other duties) whether the DPO is able to perform his/her tasks properly when fulfilling both functions simultaneously. Therefore, one should think about the amount of time needed to perform particular duties (including cooperation with other supervisory authorities), the complexity and importance of tasks, the time reserve for unplanned tasks, the amount and type of personal data, the processes and IT systems used to process them, as well as the risk areas associated with these processes. Many other factors should also be taken into account, such as the structure, size and staff resources of an organisation (including in terms of the obligation to conduct staff training). In particular, in the case of a part-time DPO, or one who combines DPO duties with other tasks, the priority should be to ensure that the DPO has sufficient time to perform the assigned tasks.
According to the Article 29 Working Party, it would be good practice to indicate the time to be spent on the duties of the DPO. The same consideration and analysis needs to be given to the duties of a classified information officer. Careful consideration should be given to the amount and type of classified information, as well as the time and capacity to perform all the tasks specified in Article 15 of the Act on the Protection of Classified Information, which include, among others, ensuring the protection of classified information, including the use of physical security measures, ensuring the protection of information and communication systems in which classified information is processed, security risk management, in particular risk estimation, control of the protection of classified information and compliance with regulations on the protection of such information.
In the light of Article 38(2) of the GDPR, the controller and processor shall ensure that the DPO has resources necessary to perform the tasks indicated in Article 39 of the GDPR and resources necessary to maintain his or her expertise. This obligation means that the DPO should have such organisational, technical, technological and financial resources to be able to effectively carry out the duties related to his or her function.
The Act on the Protection of Classified Information, on the other hand, stipulates in Article 15 (2) that the classified information protection officer performs his or her tasks with the assistance of a separate and subordinate organisational unit for the protection of classified information, if one is established in the organisational unit. Such a unit may also be a secret office in accordance with Article 42(4) of the Act on the Protection of Classified Information. If such a unit is established, the classified information officer may have the assistance and support of "security division" employees in carrying out his or her tasks in connection with his or her function, which, in specific, justified cases, may positively affect the assessment of the possibility of combining the two functions in question. The DPO can also be supported by the DPO team.
It is worth noting that the tasks of the DPO apply to all personal data processed by the controller, while the tasks of a classified information officer focus on a special category of information - classified information. Nevertheless, the tasks assigned to these two functions have some similarities, and the knowledge and experience needed to perform one of these functions can be helpful in performing the other one.