The Icelandic data protection authority (Persónuvernd) (“DPA”) recently held that there is a conflict of interest if a data protection officer in a company simultaneously acts as a representative, i.e., member of the same company’s management.
The respective decision was enacted after the DPA investigated operations of an Icelandic genetic research company.
Namely, during the investigation, the DPA requested from the company to provide certain data to examine if the company’s data protection officer is compliant with provisions of Article 38 of the GDPR.
Outcome of the procedure
Having implemented the appropriate procedure, i.e., actions, the DPA concluded that there was no infringement of Article 37 of the GDPR, which refers to the obligation to appoint a data protection officer, or of the provisions of Article 38(1) and Article 38(2) of the GDPR, under which the subject person shall be timely and properly informed of all issues relating to personal data protection and have access to appropriate resources for performance of his/her duties.
However, the acting authority found that in this case the controller violated the provision of Article 38(3) of the GDPR, which refers to the independence of data protection officer, i.e., which prescribes that the controller/processor of personal data will ensure that the respective person does not receive instructions regarding the performance of his/her tasks, as well as the he/she cannot be subject to sanctions for performing these tasks, whereas the reporting on his/her work would be performed directly to the highest management level of the controller/processor.
Namely, in this case, at the time of investigation, data protection officer simultaneously performed the function of deputy CEO of the company concerned, as well as its board member, which implies the conflict of interest.
Data protection officer in domestic legislation
The status of data protection officer is regulated by Articles 56-58 of the Law on Personal Data Protection (Official Gazette of RS no. 87/2018) (“Law”).
According to the provision of Article 57, paragraph 8 of the Law, data protection officer may perform other tasks and duties, while controller/processor shall ensure that performance of such tasks/duties does not put data protection officer in the conflict of interest. Considering different organisational structures of controllers/processors, the existence of conflict of interest needs to be assessed, i.e., decided on the basis of individual circumstances of each particular case.
The Law further stipulates that controller and processor may designate a data protection officer, while they shall be obliged to do so if:
- processing is done by a state authority, unless it is done by a court for administering its court authorities;
- main activities of controller or processor comprise of processing activities whose nature, scope or purpose requires regular and systematic surveillance of a large number of data subjects;
- main activities of controller or processor comprise of processing special types of personal data or personal data relating to criminal judgments and criminal acts, in a large scope.
Alike the GDPR, the Law stipulates that controller and processor shall be obliged to timely and properly include the data protection officer in all activities relating to personal data protection, to enable such person to perform his/her duties by ensuring necessary resources, as well as the access to personal data and processing activities and professional training, and to ensure independence of data protection officer in performance of his/her duties. Also, controller and processor may not penalise data protection officer, or terminate his/her employment or another contract due to the performance of his/her duties in accordance with the Law.
Data protection officer is appointed based on his/her professional qualifications, notably for professional knowledge and experience in personal data protection, as well as capacity to perform the prescribed duties, whereas such person may be employed with controller or processor or may perform his/her activities on the basis of another contract. For performance of the duties prescribed by the Law, data protection officer shall be directly responsible to the manager of controller/processor.
Controller or processor shall be obliged to notify contact information of data protection officer and provide them to the Commissioner for Information of Public Importance and Personal Data Protection, which keeps records of data protection officers.
Data protection officer shall at least:
- inform and issue an opinion to controller or processor, as well as to employees who perform processing activities, regarding their legal obligations in relation to the personal data protection;
- monitor application of the Law, other laws and internal regulations of controller and processor referring to personal data protection, including division of competences, raising awareness and training employees who participate in controlling and processing activities;
- give opinion, when requested, about the assessment of processing impact on personal data protection and to monitor follow-up activities to such assessment;
- cooperate with the Commissioner for Information of Public Importance and Personal Data Protection, act as contact point for cooperation with the said authority and advise with the latter regarding the issues of processing, including notification and obtaining opinions.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.