Independence of the DPOs must be the standard - summary of the outcomes of the meeting at the DPA
The proper performance of the DPO's function, including with regard to its independence, must be taken care of by both controllers, the supervisory authority and the DPOs themselves. The positions and guidance developed over the years by the DPA may be helpful in achieving this goal.
The issue of the independence of data protection officers (DPOs) in the light of the national report of the 2023 Coordinated Enforcement Action DPO (CEF DPO) of the EDPB was the main topic of a meeting with the DPO community organised by the DPA on 9 April. Its hybrid format allowed more than 600 people to participate - both DPOs themselves and representatives of organisations that associate them or bring together companies providing services in this area.
Main issues and threats to DPO’s independence
At the meeting, representatives of the DPA discussed the standards for DPO’s independence under the data protection legislation and the problems occurring in practice, such as:
- imposing the controller's obligations on the DPO,
- conclusion of a personal data processing entrustment agreement between the controller and the DPO,
- the DPO's acting as a proxy of the controller.
Their speeches and the accompanying presentation were based on positions previously published on the Office's website (e.g. Can the controller delegate its duties to the DPO?, Should keeping a register of activities be counted among the DPO's tasks?, Should an entrustment agreement be concluded with an external DPO?, The controller is responsible for the realisation of persons' rights regarding access to the data concerning them (UODO Bulletin, Issue 1 (January 2024), Country report of the Polish supervisory authority under CEF DPO).
Solutions favourable to DPO’s independence
The participants of the meeting jointly reflected (also in the form of chat comments) on what solutions should be in place to support the independence of DPOs so that they can properly perform their function and take on new challenges in the field of personal data protection.
21 messages to a special e-mail box
In addition, a special e-mail address (niezaleznoscIOD@uodo.gov.pl) was launched after the meeting. Until 16 April, it was possible to send there opinions on the topics discussed at the meeting and suggestions on what could be done to help ensure that officers have the right status and conditions to perform this function. This form of contact was used by 21 entities - both officers and organisations. The senders of these messages:
- shared in them their experiences in performing the DPO’s function (e.g. cases of imposing controller’s tasks on DPOs, lack of awareness of controller’s on the role, tasks and status of DPOs);
- they also presented specific questions on the tasks performed by the DPO (e.g. in relation to data breaches, performing the role of the point of contact, carrying out audits or functioning in shared service centres);
- postulated actions that could improve the perception of the role of the DPO and the performance of his/her function (e.g. limiting the possibility to contract the DPO’s function for PLN 200- 300 and providing such services to a large number of controllers);
- sent their thanks for organising a meeting on such an important topic as the independence of DPOs and asked for the presentation to be made available, which we hereby do (the presentation file is attached below).
Need to disseminate good practices
The analysis of messages posted in the chat room and sent to a specially launched address niezaleznoscIOD@uodo.gov.pl shows that the practice of performing the function of a data protection officer (including in terms of his/her independence) in some cases deviates from the standards set and guaranteed by the provisions of the GDPR and promoted by the DPA since its entry into force. That is why it is so important to continue to undertake actions and initiatives promoting correct (legally compliant) patterns of performing this function. In order for these activities to be as effective as possible, it is advisable that, in addition to the supervisory authority, controllers, officers and other entities and organisations, e.g. associating officers, are also involved.
Letters from organisations
Following the meeting on the independence of DPOs, in addition to messages to the dedicated email box, other letters were received by the Personal Data Protection Office referring to the issues raised at the meeting, including two letters from organisations associated with the DPO community.
One of these letters came from three organisations: SABI – the Association of Information Security Administrators (SABI), the Association of Data Protection Practitioners (SPOD) and the Association of Data Protection Companies (ZFODO). It included thanks for organising a meeting on the independence of the DPO’s function, including the avoidance of conflicts of interest when performing this function in both small and large organisations. In the opinion of its authors, this is a very important issue for the DPO’s community, affecting the effectiveness of performing the task of monitoring the protection of personal data in accordance with the provisions of GDPR, as well as ensuring a high level of protection of data subjects' rights. At the same time, the letter proposed the organisation of a DPO Working Group to develop standards and guidelines for the performance of the DPO’s function.
The Association of Data Protection Officers (SIODO) also sent its position. Its representatives, thanking for the Personal Data Protection Office's initiatives and commitment to cooperation with DPOs, expressed their conviction that they will contribute to strengthening the respect of citizens' constitutional right to privacy and adequate protection of personal data, as well as the effective implementation of the provisions of the GDPR. They indicated that they appreciated the clear and unambiguous voice of the Personal Data Protection Office regarding the status of the DPO and the strengthening of its position. In the Association's view, taking the controller’s tasks by the DPO may lead to a regression of the controller's awareness of the responsibilities incumbent on it, as well as an increased tendency to cede to the DPO the tasks incumbent on the controller. In their view, this is particularly important given the increasing number of pieces of legislation, especially those relating to information security and cyber security, the application of which will be a huge challenge for many private and public sector entities. In the Association's view, the management of controller entities should demonstrate active leadership and commitment to building a culture of information security, including a culture of protection of personal data and the right to privacy. In this context, ceding to the DPO the competences and the implementation of duties that belong to the controller seems destructive to these values.
The standards are already there. They need to be applied and disseminated
In his response to the aforementioned organisations' letters, the President of the Personal Data Protection Office first of all thanked their authors for their active attitude and commitment to the data protection officer’s community. He pointed out that the issue of the necessity to ensure the DPO's independence, guaranteeing the proper and effective performance of this function, has been constantly emphasised on the occasion of various activities, e.g. CEF DPO, or in CJEU rulings - e.g. in the judgment in case C-453/21. He also stressed that adherence to the requirements aimed at ensuring the DPO's ability to properly perform its function is particularly important, especially in the context of new EU regulations and digital challenges.
The President of the Personal Data Protection Office also pointed out that since the beginning of the application of the provisions of the General Data Protection Regulation, the Office has developed many guidelines and instructions regarding ensuring the conditions for the proper functioning and performance of tasks for the DPO. These have been successively published over the past years on the Personal Data Protection Office’s website, primarily in the Data Protection Officer tab or in the Personal Data Protection Office’s Newsletter for DPOs (Personal Data Protection Office’s Bulletin), e.g. in Issue 4 (April 2022), and more recently in the national report of the Polish supervisory authority prepared in connection with participation in the CEF DPO action. The President emphasised that the 27 questions campaign aimed at verifying the Personal Data Protection Office's compliance with the provisions regarding data protection officers showed that many organisations put a lot of effort into the proper implementation of the provisions regarding the functioning of the Data Protection Officer in their organisations, as proof of which they had provided solid and substantiated explanations of how the relevant arrangements were working in their organisations.
The President of the Personal Data Protection Office also assured that he would make every effort to ensure that the aforementioned standards continue to be disseminated in the awareness of the addressees of the legislation and that they are complied with by them. Indeed, it is also the duty of the supervisory authority to monitor and enforce the law in force in this respect. At the same time, he pointed out that organisations associating and supporting DPOs are an important partner for the supervisory authrity in its efforts to raise awareness, both among DPOs and among controllers, of the role and status of DPOs, especially of the guarantees provided for in the GDPR for the independent exercise of this function. One important activity for this purpose could be the dissemination by associations of the positions and guidance developed by the Personal Data Protection Office in this regard.
In the opinion of the supervisory authority, it is worthwhile that the DPOs themselves are also involved in the independence of the DPOs. Indeed, the data protection professionals that they are should be expected to be responsible, to uphold compliance with the law and to be more diligent in their advisory and compliance monitoring function. The professional nature of this function should entail increased requirements in terms of skills, knowledge and preventive care in the field of personal data protection. For example, the DPO - in view of his or her role as an expert advisor and independent entity monitoring compliance with data protection law - should, for his or her part, identify and signal to the controller at an early stage threats to the DPO's independence (e.g. risks of conflict of interest) so that they can be prevented at an early stage.
The President of the Personal Data Protection Office also expressed his conviction that the guidelines developed over the years in cooperation with data protection officers and controllers and posted on the authority's website have been and will continue to be a necessary foundation for DPO organisations for projects aimed at improving and disseminating standards for the lawful performance of controllers' duties towards DPOs and, on the other hand, for the competent performance of tasks by DPO’s. He declared that the supervisory authority will support all initiatives concerning the professionalisation of the DPO’s function taking into account the guidance and recommendations developed by the supervisory authority.
In addition - referring to the recently announced public consultation by the Personal Data Protection Office on two guides, i.e. the guide on data processing in employment 'Personal data protection in the workplace. A guide for employers" of 2018 and the guide on responding to personal data breaches "How controllers should deal with data protection breaches" of 2019. (see https://uodo.gov.pl/pl/138/3098) - the President of the Personal Data Protection Office encouraged organisations to submit comments and suggestions as part of this initiative.