Many clients of mine (public and private hospital, pharma and medical device companies..) are thinking to appoint an internal ICT Manager as DPO.
I guess this decision could not be in compliance with the GDPR requirements for the reasons below.
The GDPR art. 37 states that:
- The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Next art. 39 establishes that:
The data protection officer shall have at least the following tasks:
to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
to monitor compliance with this Regulation, ………. including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
Art. 38, at least, lays down that the DPO shall have to be independent and not result in a conflict of interests.
Regarding the topic above, on 13 December 2016 European Data Protection Working Party (WP29) has just adopted “Guidelines on Data Protection Officers” to harmonize the requirements application.
The Guidelines Annex statues what below (point 3.3):
9 What are the safeguards to enable the DPO to perform her/his tasks in an independent manner (Article 38(3))?
Several safeguards exist in order to enable the DPO to act in an independent manner as stated in recital 97:
No instructions by the controllers or the processors regarding the exercise of the DPO’s tasks
No dismissal or penalty by the controller for the performance of the DPO’s tasks
No conflict of interest with possible other tasks and duties
10 What are the ‘other tasks and duties’ of a DPO which may result in a conflict of interests (Article 38(6))?
The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
In short, DPO shall:
- have an adequate knowledge of data protection law;
- be able to raise awareness and train the staff involved in the processing operation;
- be in independent position
- be not in conflict of interests
Given what I explained above, I believe company’s internal IT manager could not be able to meet the GDPR requirements: therefore he could easily be in conflict of interests.
However, on 20 October 2016, the Bavarian State Commissioner for Data Protection (the “BSC“) announced that an organisation had been fined for its appointment of an IT manager employee as a data protection office: the BSC noted that a DPO cannot act independently and perform its duties whilst also having significant operational responsibility for data processing activities in a role such as an IT manager .
I think that another possible way could be appointing as DPO a legal entity with multiple professional skills (for example legal professional and IT competence..): this option has been proposed also by the WP29 Guidelines point 2.4 .