Is it possible to combine the function of the DPO with the duties of an information system administr
In most cases, the scope of duties related to the ISA function is regulated only in the internal sphere of the controller in question, e.g. in the security policy, or stems from an employee's job description or from a service contract with a person outside a specific organisation. Sometimes the tasks of the ISA with respect to specific systems are indicated in specific provisions of law, e.g., Article 10(2) of the Act of 22 November 2013 on Emergency Notification System; Article 2(2) of the Act of 28 April 2011 on Health Information System. The function of the ISA is most often assigned to an IT specialist or IT manager, and his or her main tasks include: administration of servers for data processing, implementation of IT system security, identification of potential threats and vulnerabilities to IT systems, detection of unauthorised access to the system, maintenance of their continuity of operation, configuration of user accounts. For this reason, combining the functions of the DPO and ISA in specific cases may be considered non-compliant with the GDPR.
The assessment in this regard should be made from the point of view of meeting the requirements indicated in the GDPR for the DPO, including, in particular, his or her independence, proper location in the organisational structure of the controller and the real ability to properly fulfill the tasks assigned to him or her. From this perspective, the consolidation of the function of the DPO with that of the ISA may cause risks to the security of personal data processing. This is because the person in charge of the day-to-day conduct of personal data processing and data security in IT systems will at the same time exercise supervision over the legality of the activities performed by him or her. Thus, such a situation results in a de facto lack of supervision over the compliance of data processing with the law, including the provisions of law that define the requirements for personal data security.
The DPO must not be subordinate to any person other than the highest management level (Article 38(3) of the GDPR), which is supposed to guarantee him or her independent, correct and effective fulfillment of functions. The highest management of an organisational unit - depending on its type - may be the person or persons (e.g., those who are part of a body) who direct their work (e.g., ministers in charge of government departments, school principals), manage its affairs (e.g., a company's board of directors) or undertake profit-making activities (e.g., sole proprietors), acting as a controller. In the case of combining DPO and ISA functions, a solution is excluded in which such a person would report to, for example, an IT director, IT manager or any other person (e.g., the director general of a public office) who is not highest management within the meaning of Article 38(3) of the GDPR.
According to Article 38(6) of the GDPR, the DPO may fulfill other tasks and duties, with the controller or processor ensuring that such tasks and duties do not result in a conflict of interess. The GDPR does not specify in what situations the conflict of interests indicated in Article 38(6) of the GDPR will occur. The absence of conflict of interests is closely linked with the requirement to fulfill tasks in an independent manner. This means that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.
Executive positions will be considered to result in a conflict of interest (chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
Therefore, the aforementioned conflict of interests may also include positions related to security in the organisation, as long as they involve deciding - in any way - on the means and purposes of processing personal data in the organisation.
In summary, the assessment of whether a conflict of interests exists for a particular person and the tasks he or she fulfills should be made on a case-by-case basis, taking into account the specific circumstances. This means that the possibility of a conflict should be constantly monitored, since the reasons for the existence of such a conflict may also exist at a later time, after the DPO has started performing his or her function.