What guarantees of independence have been granted to the DPO under the GDPR?
Data Protection Officers (DPOs) - regardless of whether they are employees of the controller or not - should be in a position to perform their duties and tasks in an independent manner. (GDPR recital 97).
To ensure the DPO's independence, the General Data Protection Regulation introduces several specific solutions that allow for the achievement of the aforementioned goal, namely:
- DPO's direct subordination to the highest management,
- Supporting the DPO in performing the tasks,
- Ensuring DPO's participation in all matters related to personal data protection,
- Prohibition of issuing instructions to the DPO regarding his/her tasks,
- Avoidance of the DPO's conflict of interest,
- Prohibition of dismissing and penalising the DPO,
- Obligation to maintain secrecy or confidentiality tasks concerning the performance of the DPO’s tasks.
As good practice, the Article 29 Working Party in its Guidelines on DPO’s recommends the introduction of internal regulations (rules, statutes) guaranteeing the DPO's independence in performing his/her tasks.
Direct subordination of the DPO to the highest management
One of the specific solutions serving the DPO's independence is placing him/her in the organisational structure of the data controller or processor directly under the highest management. According to Art. 38 (3) of GDPR the DPO shall directly report to the highest management of the controller or processor.
The subordination to the highest management is one of the guarantees of the DPO's independent, high position in the structure of the data controller, and it also shortens the reporting path, which is of great importance in case of the need to take quick corrective actions in the event of a data breach.
Direct subordination means that in the activities undertaken by the DPO, he/she cannot be subordinate to any other persons or organisational units that are part of the controller's structure (Art. 38 (3) GDPR).
How the term highest management is understood certainly depends on the type of entity the controller or processor is. By way of example, it can be pointed out that the "highest management" will be the person or persons who are part of the body and direct its work (ministers in charge of government departments, school principals), or conduct its affairs (board of directors of a company, partners of a general partnership, owner of a sole proprietorship).
Supporting the DPO in performing his/her tasks
The data controller and the data processor are obliged to support the data protection officer by, among other things, providing resources necessary to carry out these tasks.
The Art. 29 Working Party in the Guidelines on the Data Protection Officer advocates a broad understanding of resources:
- support for the DPO by senior management (e.g. at the board level),
- time allocation enabling the DPO to perform his/her tasks,
- appropriate financial, infrastructural (premises, facilities, equipment,) and staff support, as appropriate,
- official communication to all employees about the designation of the DPO and his/her tasks,
- enabling access to other departments of the organisation, e.g. HR, legal department, IT etc.,
- continuous training. The DPO should have the opportunity to continuously update knowledge in the field of personal data protection. The aim should be to increase the DPO's knowledge and encourage him/her to participate in trainings, workshops, forums dedicated to data protection etc.;
- staff support, e.g. appointment of a data protection officer's team.
Ensuring the DPO's involvement in all matters related to personal data protection
Article 38 of the GDPR obliges the data controller and the data processor to ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. This norm aims to prevent attempts to limit the inspector's access to information necessary for the performance of his/her tasks, thus fostering his/her independence.
According to the Guidelines of the Article 29 Working Party on Data Protection Officers it is crucial that the DPO, or his/her team, is involved from the earliest stage possible in all issues relating to data processing, as this will facilitate compliance with the GDPR. The General Data Protection Regulation specifically requires the controller to involve the DPO in certain activities and decisions, e.g., it requires the controller to consult the DPO when carrying out such an impact assessment. Therefore, involving the data protection officer in all matters related to data processing should be a standard procedure in the organisation.
Moreover, the DPO shall be seen as a discussion partner within the organisation and he or she shall be part of the relevant working groups dealing with data processing activities within the organisation. Among other things, it should be ensured that the DPO is invited to participate regularly in meetings of senior and middle management, his or her presence is recommended where decisions with data protection implications are taken and all relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice, the DPO must be promptly consulted once a data breach or another incident has occurred, defining by the controller or the processor other situations requiring consultation with the DPO.
In addition the opinion of the DPO must always be given due weight by the management and employees of specific entity. The WP29 recommends, as good practice, to document the cases and the reasons for not following the DPO’s advice.
Prohibition of issuing instructions to the DPO on the performance of his/her tasks
An essential guarantee of the independence of the data protection officer is undoubtedly the introduction of a prohibition on the controller or the processor to issue instructions (orders) to the DPO regarding the performance of his/her tasks (Article 38(3) of the GDPR). The prohibition on issuing instructions to the data protection officer means that in the course of fulfilling his/her tasks, the data protection officer does not receive any instructions regarding the way of handling the case, measures to be taken, or the goal to be achieved. Moreover, the controller should not prevent or limit the data protection officer's contact with the President of the Personal Data Protection Office.
In the Guidelines on Data Protection Officers, the Article 29 Working Party indicates that the DPO cannot also be obliged to adopt a specific position on a matter within the scope of data protection law, including a specific interpretation of the regulations.
On the other hand, the Article 29 Working Party emphasises that the independence of the DPO (including in the context of the prohibition on issuing instructions regarding the performance of DPO’s tasks) does not mean that the DPO has decision-making powers exceeding the tasks from Article 39 of the GDPR. This does not change the fact that it is the controller and the processor who are responsible for ensuring and demonstrating compliance with the personal data protection regulations. If the controller or the processor makes a decision that is not compliant with the GDPR and the recommendations of the DPO, the data protection officer should have the possibility to clearly present his/her position to the decision-makers.
Respecting the aforementioned prohibition can be particularly problematic at the intersection of conducting an internal audit of various areas of the activity of the entity that is a data controller. Particularly important, especially at the beginning of the functioning of the discussed provision, may be a thorough analysis of the scope and objectives of individual positions related to internal audit, so that other people within the organisation, such as lawyers, auditors, can perform their tasks without violating the prohibition at stake.
Avoiding the DPO's Conflict of Interest
According to Article 38(6) of the GDPR, it is possible to impose other tasks and duties on the data protection officer, but the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. Thus, as explained by the Article 29 Working Party in the Guidelines on Data Protection Officers, this means, among other things, that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. This aspect has to be considered case by case. In assigning other tasks to the Data Protection Officer, to avoid a conflict of interest, the data controller or processor should identify within their organisation positions incompatible with the role of the DPO.
A valuable hint in this regard is the indication that, as a rule of thumb, conflicting positions within the organisation, may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.
It would also be advisable to draw up internal rules to this effect in order to avoid conflicts of interests, and to include a more general explanation about conflicts of interests. Moreover, the data controller or processor should include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO is sufficiently precise and detailed in order to avoid a conflict of interests.
Prohibition of dismissing and penalising the DPO
The independence of the data protection officer is also supported by Article 38(3) of the GDPR, stating that the data controller or processor cannot dismiss or penalise the DPO’s for performing their tasks. Of course, this provision should be related to the objectively correct execution of tasks. This is not about protecting an inspector who does not duly fulfil his/her duties. This is the only provision in the General Data Protection Regulation concerning the dismissal of the DPO.
According to the Article 29 Working Party Guidelines on Data Protection Officers, the DPO cannot be dismissed for providing specific advice, even if it contradicts the position represented by the data controller or processor. The Article 29 Working Party explains that this refers to penalties in various forms, direct or indirect, such as absence or delay of promotion; prevention from career advancement; denial from benefits that other employees receive. The prohibition of dismissing the data protection officer does not mean, however, that the DPO cannot be dismissed in justified situations for reasons other than for performing his or her tasks as a DPO (e.g. , in case of theft). The Article 29 Working Party recommends adopting a policy that , the more stable a DPO’s contract is, and the more guarantees exist against unfair dismissal, the more likely they will be able to act in an independent manner.
The Data Protection Officer (DPO) is obliged to maintain secrecy or confidentiality concerning the performance of his/her tasks.
The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (Article 38(5) GDPR).
In relation to the DPO’s, in carrying out their duties, they will undoubtedly have access to personal data, including personal data referred to in Art. 9 (1) GDPR and personal data relating to criminal convictions and offences referred to in Art. 10 GDPR, as well as information regarding technical and organisational measures ensuring processing in accordance with GDPR provisions, including data protection policies. The DPO’s will also be required to comply with all national and Union legal provisions that apply to them and under which specific information is covered by legally protected secrets. The data protection officer's obligation to maintain secrecy is fully justified and will serve not only the security of personal data, but also to strengthen trust in DPOs on the part of data controllers and processors. Importantly, in the Guidelines on Data Protection Officers, the Article 29 Working Party emphasises that the obligation of secrecy and confidentiality does not prevent the DPO from contacting the President of the Personal Data Protection Office and seeking advice from the supervisory authority.