Can the DPO be a person who fulfills the function of the head of a unit in the organisation?
According to Article 38(6) of the GDPR, the DPO may fulfill other tasks and duties, with the controller or processor ensuring that such tasks and duties do not result in a conflict of interests. The absence of conflict of interests is closely linked to the requirement to act in an independent manner. This means that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. The Article 29 Working Party’s Guidelines on Data Protection Officers (DPOs) identify examples of such positions. These include senior management positions (such as chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
Designating a head of a unit in an organisation as a DPO, such as the head of IT department, who as a manager would decide on methods to secure IT systems, design systems for processing personal data, or the head of HR department, who would decide, for example, what data is collected from potential job candidates, and on the other hand, as a DPO would examine the compliance of data processing with data protection regulations, will result in such a person controlling the data processing operations himself or herself, which, as the head of a given unit, he or she would decide on at the same time. It is worth noting that even if this person would not personally create the indicated systems, but, for example, they would be designed by an employee of the given unit, this fact would be irrelevant, since it is the manager who is responsible for the entire activities of the unit, including subordinate employees.
In addition, the controller, when considering the designation for a position of the DPO a person holding position of the head of unit in the organisation, should take into account, at least, three criteria:
- organisational (the DPO should report directly to the top management of the organisational unit),
- substantive (other duties should not negatively affect the independent fulfillment of the DPO's tasks),
- time (the DPO should have sufficient time to perform his or her tasks, taking into account, among other things, the number of duties or their complexity).
Consideration of the time criterion should include an analysis of whether a DPO performing another function at the same time will be able to fulfill his or her duties in an appropriate manner, taking into account, in particular, the complexity and quantity of other tasks. The DPO should have the time to allow him or her to properly fulfill all tasks.
In summary, the simultaneous fulfilling the function of the DPO and the function of the head of a unit in an organisation is not explicitly prohibited in the GDPR, but the failure of the controller to conduct an analysis in this regard and to take into account the indicated criteria may consequently result in a violation of data protection regulations.