It is necessary to separate the position of the DPO in the civil service
The President of the Personal Data Protection Office is calling for the position of ‘data protection officer’ (DPO) to be singled out in the list of civil servant positions. He has addressed the Head of the Civil Service on this issue, pointing out that this lack makes it difficult for the DPO to perform the function properly.
The subject of the lack of separation of the DPO in the table of groups of official positions relating to the civil service corps was raised repeatedly during this year's meetings conducted by Mirosław Wróblewski, President of the Personal Data Protection Office, with data protection inspectors. The General Director at the Ministry of Health, in her letter of 28 March this year, appealed for the President of the Personal Data Protection Office to take legislative action again with a view to singling out the position of the DPO. Personal Data Protection Office has received many signals and enquiries related to the above problem since the beginning of the application of GDPR.
The inclusion of the position of the DPO in the list is important
The list of civil servant posts systematises and organises the catalogue of civil service posts and makes them more transparent and readable. The absence of the position of Data Protection Officer in the list of posts precludes or hinders the adoption of solutions to guarantee the DPO to perform this function independently and effectively. This situation may adversely affect the level of personal data protection in public administration.
Arguments of the President of the DPA
The President of Personal Data Protection Office emphasises that the existing gap in the architecture of official positions hinders the proper fulfilment of the obligation of public authorities to appoint a DPO. First of all, it makes it impossible to employ the DPO in a separate position, which would allow the DPO to be independent.
It also results in the assignment of the DPO's duties as additional tasks to already employed staff even in situations where this may cause a conflict of interest. Furthermore, it is difficult for the employer, without a separate post, to ensure that the DPO is subordinate to the top management (in accordance with Article 38(3) of the GDPR), which is necessary to guarantee the DPO's independence.
As the President of the Personal Data Protection Office points out, the inclusion of a specific position in the list does not imply an obligation to create it. On the other hand, its absence from the list makes it more difficult to employ the position of a data protection officer in larger institutions, e.g. in ministries, central offices or provincial offices. Justifying his/her position, the President of the Personal Data Protection Office points to the obligation arising from the GDPR to ensure independent and proper performance of the DPO's functions by the controller, inter alia to ensure the DPO's direct subordination to the top management and the prohibition on imposing other tasks and duties on the DPO if they could cause a conflict of interest.
Combining the function of the DPO with other duties may create a conflict of interest (as referred to in Article 38(6) GDPR) and thus hinder the proper performance of the DPO's tasks and the performance of other tasks when there is a conflict between the two.
The President of the Personal Data Protection Office recalls that the GDPR obliges the management of a public entity in each specific situation to carefully analyse whether any other tasks or functions that the controller would intend to burden the inspector with would impede the proper performance of the duties set out in Article 39 of the GDPR. A conflict of interest occurs, inter alia, when the proper performance of the tasks of the controller cannot be reconciled with the performance of other tasks because there is a contradiction between the two, making it impossible to carry them out adequately. A conflict of interest may also arise due to an excessive number of duties entrusted to the DPO.
This issue becomes particularly relevant in the context of new statutory obligations imposed on public entities, at least some of which may place an additional burden on the DPO.
President of the Personal Data Protection Office request to the Head of the Civil Service
President of the Personal Data Protection Office has requested the Head of the Civil Service to distinguish the DPO in the list of civil servant positions. This is the fourth attempt made by the supervisory authority on this matter.
Previously, the President of the Personal Data Protection Office has intervened on this issue in speeches to the Head of the Civil Service:
- 15 April 2019, https://archiwum.uodo.gov.pl/pl/138/923
- 13 August 2019 https://archiwum.uodo.gov.pl/pl/138/1193
- 20 December 2019 https://archiwum.uodo.gov.pl/pl/138/1306
The content of the most recent speech to the Head of the Civil Service on the inclusion of the DPO in the list of civil servant positions can be read in the document attached below.