Who can do Data Protection Officer?

By | Wednesday February 15th, 2017

Many clients of mine (public and private hospital, pharma and medical device companies..) are thinking to appoint an internal ICT Manager as DPO.

I guess this decision could not be in compliance with the GDPR requirements for the reasons below.

The GDPR art. 37 states that:

  1. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

Next art. 39 establishes that:

The data protection officer shall have at least the following tasks:

to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

to monitor compliance with this Regulation, ………. including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

Art. 38, at least, lays down that the DPO shall have to be independent and not result in a conflict of interests.

Regarding the topic above, on 13 December 2016 European Data Protection Working Party (WP29) has just adopted “Guidelines on Data Protection Officers” to harmonize the requirements application.

The Guidelines Annex statues what below (point 3.3):

9 What are the safeguards to enable the DPO to perform her/his tasks in an independent manner (Article 38(3))?

Several safeguards exist in order to enable the DPO to act in an independent manner as stated in recital 97:

 No instructions by the controllers or the processors regarding the exercise of the DPOs tasks
 No dismissal or penalty by the controller for the performance of the DPOs tasks

 No conflict of interest with possible other tasks and duties

10 What are the other tasks and dutiesof a DPO which may result in a conflict of interests (Article 38(6))?

The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.

In short, DPO shall:

  • have an adequate knowledge of data protection law;
  • be able to raise awareness and train the staff involved in the processing operation;
  • be in independent position
  • be not in conflict of interests

Given what I explained above, I believe company’s internal IT manager could not be able to meet the GDPR requirements: therefore he could easily be in conflict of interests.

However, on 20 October 2016, the Bavarian State Commissioner for Data Protection (the “BSC“) announced that an organisation had been fined for its appointment of an IT manager employee as a data protection office: the BSC noted that a DPO cannot act independently and perform its duties whilst also having significant operational responsibility for data processing activities in a role such as an IT manager .

I think that another possible way could be appointing as DPO a legal entity with multiple professional skills (for example legal professional and IT competence..): this option has been proposed also by the WP29 Guidelines point 2.4 .





4 thoughts on “Who can do Data Protection Officer?

  1. paolo calvi

    su questo punto continuano ad esserci fraintendimenti, anche se è uno dei pochi punti su cui GDPR e linee guida del WP29 sono di una chiarezza cristallina. il DPO interno potrà essere cumulato sì con altre figure, ma NON con ruoli che abbiano incarichi operativi e che concorrano a determinare ed applicare ad esempio le misure di sicurezza. questo è sicuramente il caso dell’IT manager, per cui appare chiaro che sia da escludere un cumulo con tale carica. la sanzione tedesca dovrebbe essere un argomento valido, speriamo che passi il messaggio…

  2. silvia stefanelli Post author

    ..e invece tutti pensano di nominare l’IT manager….
    sono tutti convinti che sia la soluzione migliore (e più facile..)

    sulle decisioen tedesca ho trovato solo articoli di commento in inglese
    non riesco a sapere se è stata impugnata oppure no..
    qualcuno ha notizie?

  3. riccardo.abeti

    Il problema che continua a non essere risolto è la reale indipendenza di un soggetto che, anche qualora fosse inteso in modo analogo all’OdV di cui al d.lgs 231/2001, spesso non è davvero indipendente … figurarsi quanto potrebbe essere “indipendente” l’IT manager …

Leave a Reply