Can the DPO function be combined with the profession of a barrister or legal advisor?
The issue of the permissibility of simultaneously serving as a data protection officer and practicing as a barrister or legal advisor in the light of the regulations governing the practice of these professions became the subject of the President of the Office's addresses to both self-governments in 2018. At the request of the President of the Office, both self-governments presented their opinions.
In the opinion of the Supreme Bar Council (SBC), practicing the profession of a barrister does not exclude the simultaneous performance of the function of a data protection officer (DPO), since the provisions of the GDPR guarantee the DPO's independence, which is also the basis for practicing the profession of a barrister. The tasks entrusted to the DPO do not offend the dignity of the barrister, do not limit his or her independence and do not undermine confidence in the bar. In the case of the DPO, independence is guaranteed by, among other things, the DPO's subordination to the highest management, the prohibition of issuing instructions to the DPO, and the prohibition of dismissal of the DPO for performing his or her tasks. Given the wording of Article 1(3) of the Law on the Bar of May 26, 1982 (Journal of Laws of 2018, item 1184, as amended), it is permissible for a barrister to perform the function of the DPO on the basis of a civil law contract (Article 37(6) of the GDPR). In its opinion, the SBC emphasised that a necessary condition is that the barrister has knowledge of data protection in accordance with Article 37(5) of the GDPR.
The National Bar Association of Legal Advisors (NCRP) has issued an opinion that the performance of DPO function cannot be qualified as a subcategory of the concept of providing legal assistance, although these areas have some common scopes. Due to certain risks, in particular related to potential violations of the rules of professional ethics and the divergent characteristics of the functions of legal advisor and DPO, the NCRP recommends not combining the performance of these roles within a single entity (data controller/client). The NCRP also pointed out the necessity for DPOs to have appropriate qualifications , especially in terms of tasks that lie outside the scope of the concept of providing legal assistance, e.g., knowledge of technical aspects, operation of IT systems, IT security, risk assessment, conducting audits.
The opinions provided by the self-governments confirm that a sound analysis as to the admissibility of entrusting the DPO with additional duties should include many aspects related to the regulations of the profession in question and the status, tasks and qualification requirements placed on the DPO. It should be emphasised that it is the controller’s responsibility to ensure that entrusting the DPO with additional tasks and duties does not create a conflict of interests (Article 38(6) of the GDPR).