Is it possible to combine the DPO’s function with tasks related to handling requests from whistleblo
Is it possible to combine the DPO’s function with tasks related to handling requests from whistleblowers?
We are waiting for the entry into force of national regulations implementing the so-called Directive on the Protection of Whistleblowers No. 2019/1937. The question concerns the person who would receive possible reports of whistleblowers and conduct investigations regarding reported irregularities. Can the company entrust such a function to a person performing the function of a DPO? Will we not have to deal with a conflict of interest in this case?
The organisation of the process for receiving and handling reports on irregularities is governed by Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. Currently, in Poland, work is underway on a draft law implementing this directive, so we do not know the final shape of the solutions adopted in it, including those regarding the tasks and status of staff members responsible for handling reports of infringements of the law.
As regards the regulation of those matters in the Directive, it refers to them in particular in the following provisions and recitals.
Recital 74 of the Directive indicates that Staff members of the competent authorities who are responsible for handling reports should be professionally trained, including on applicable data protection rules, in order to handle reports and to ensure communication with the reporting person, as well as to follow up on the report in a suitable manner.
On the other hand, recital 77 states that it is necessary that staff members of the competent authority who are responsible for handling reports and staff members of the competent authority who have the right of access to the information provided by a reporting person comply with the duty of professional secrecy and confidentiality when transmitting the data both inside and outside the competent authority.
Article 12(4) of the Directive states that Member States shall ensure that competent authorities designate staff members responsible for handling reports, and in particular for:
- providing any interested person with information on the procedures for reporting;
- receiving and following up on reports;
- maintaining contact with the reporting person for the purpose of providing feedback and requesting further information where necessary.
However, the Directive does not regulate the combination of the tasks of persons involved in handling reports with other tasks.
In such a situation, before entrusting the person performing the function of the DPO with other tasks or duties (in this case consisting in accepting reports from whistleblowers and conducting investigations), the controller should carefully analyse in terms of providing the DPO with appropriate conditions to maintain its independence and proper performance of tasks. This assessment should be made taking into account the relevant provisions of the GDPR and the Article 29 Working Party’s Guidelines on Data Protection Officers (WP 243).
According to Article 38(6) of the GDPR, the DPO may perform "other tasks and duties". However, the provision goes on to state that 'the controller or processor shall ensure that such tasks and responsibilities do not give rise to a conflict of interests'.
A conflict of interest occurs if the proper performance of the DPO's tasks cannot be reconciled with the performance of other tasks, because there is a contradiction between the tasks, preventing their proper implementation. A conflict of interest may also be the result of an excess of duties assigned to the DPO, if the DPO has to choose between the duties that he/she will perform and those that he/she will not be able to cope with due to lack of time necessary to perform them.
The requirement not to create a conflict of interest is closely linked to the requirement to perform tasks in an independent manner. This means that the DPO cannot take a position in the organisation in which the means and purposes of data processing are determined. The above-mentioned Guidelines on DPO’s indicate examples of such positions. These include: management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments), but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
The assessment of whether a particular person and the tasks performed by him or her are free of conflict of interest should be made on a case-by-case basis, taking into account the specific circumstances. This means that the possibility of a conflict should be constantly monitored, because the causes of such a conflict may also occur at a later time, after the DPO has taken up his/her function.
The controller should take into account, among others the following criteria:
- organisational (the DPO should report directly to the highest management of the organisational unit),
- substantive (other duties should not adversely affect the independent performance of DPO’s tasks),
- temporary (the DPO should have sufficient time to perform his/her tasks, taking into account, among others the number of duties or their complexity).
Referring to the organisational criterion, it should be noted that in the case of simultaneous performance of the DPO’s function and the performance of other tasks, a solution in which such a person would be subordinate, for example, to the director of the department, the head of division or any other person (e.g. the director general of a public authority) who is not the highest management within the meaning of Article 38(3) of the GDPR is excluded.
In conclusion, it should be pointed out that before entrusting the DPO with the performance of other tasks, the controller should analyse whether the DPO will be able to perform his/her duties properly. Failure to carry out an analysis in this respect may result in a violation of the provisions on the protection of personal data.
Finally, it is worth noting that the principle of accountability provided for in the GDPR requires, in particular, that controllers demonstrate the logic on which they based their decisions and be able to justify why they adopted certain solutions.
A lot of information on the obligations of the controller set out in Articles 37 and 38 of the GDPR, as well as on the criteria for assessing whether a person performing the function of a DPO can also perform other functions and duties can be found in the DPO tab on our website. Valuable guidance is also provided by the decisions of the President of the Personal Data Protection Office and other EU supervisory authorities, as authorities obliged to enforce compliance with the above-mentioned provisions (among others referred to in Article 83(4)(a) of the GDPR).