14 Sep The DPO as a measure of accountability. Guidelines and safeguards in the light of the case law of European Supervisory Authorities
A little more than three years after Regulation (EU) 2016/679 (“GDPR“) was definitively applied in Europe, it is interesting to ask ourselves about the operational role that the Data Protection Officer (“DPO“) has assumed in the activities of large companies and public bodies. Moreover, it is interesting to consider whether this operational role is actually in line with the most ratio underlying Articles 38 and 39 GDPR, which respectively regulate the position and tasks of the DPO.
The decisions of the European Supervisory Authorities and, in particular, a recent decision of Luxembourg’s Supervisory Authority will certainly assist professionals and business operators in the search for a concrete answer to these questions, providing important clarifications[1].
The decision of the Luxembourg Supervisory Authority: the importance of the DPO’s independence
The Luxembourg Supervisory Authority has developed a global investigation campaign specifically aimed at verifying compliance with the rules regulating the function of DPOs in public and private entities. In the context of this campaign, the Authority ascertained that a company had failed to comply with a number of relevant provisions regulating the position and tasks of the DPO and, in June 2021, imposed a fine of €15,000. More specifically, the sanctioned company was found to have inappropriate conditions in which the DPO had to perform his tasks, on the basis of the lack of organisational mechanisms capable of ensuring his or her timely involvement in the most relevant matters, in breach of Article 38(1) of the GDPR, as well as on account of the impossibility for the DPO to report directly to the company’s top management, in infringement of Article 38(3) of the GDPR. Based on these considerations, the Luxembourg Supervisory Authority also pointed out the inadequacy and ineffectiveness of the DPO’s performance of the advisory and supervisory tasks provided for in Article 39(1)(a) and (b) of the GDPR.
In the decision – the main points of which are briefly mentioned above – the idea that the DPO is a measure to ensure the accountability of the data controller seems to be confirmed. In other words, the DPO represents an instrument capable of reinforcing the guarantee of a correct fulfilment of all data protection compliance obligations, through various and multifaceted activities, such as consulting, training, control, and support in the assessment of privacy risks[2]. This framework of the role of the DPO would seem to uncover and enhance the more ratio underlying Articles 38 and 39 of the GDPR.
Not only: in this perspective, it also seems possible to identify and outline with precision the “boundary line” between the role of the DPO and the one of the other offices and corporate functions of the organization in which the figure of the DPO is placed. In this regard, it is necessary to point out that the DPO should only have an advisory role and not have any decision-making powers; instead, the organization constitutes the principal centre of imputation of all the decision-making wills and of all the related responsibilities, especially when it determines the purposes and means of the processing as data controller (Articles 4, no. 7), 5(2), 24, 82 and 83 GDPR).
Moreover, in the light of the recommendations of the Luxembourg Supervisory Authority, it must be considered that the fundamental premise of the most effective and correct exercise of the complex function of the DPO consists in the respect of the guarantee of its own independence, as confirmed by Recital 97 of the GDPR and by the recommendations issued by the European Supervisory Authorities and the Article 29 Working Party (now the European Data Protection Board)[3]. As will be illustrated in the following section, the independence of the DPO is also dependent on the organisation that designated the DPO complying with certain legal obligations, mainly under Article 38 GDPR.
The independence of the DPO and the DPO as a safeguard
The independence of the DPO can be defined as a form of extraneousness of the DPO himself or herself to the purposes pursued by the organisation that has designated him or her. Independence is also a condition of autonomy and of the integrity of assessments with respect to matters relating to the processing of personal data.
Among the main obligations to ensure the independence of the DPO is the obligation under Article 38(3) GDPR to ensure that the DPO reports directly to top management, without the interposition of filters, decision-making barriers and other procedural and organizational mechanisms that could weaken the effectiveness of his/her opinions and communications[4]. The fulfilment of this obligation aims to reduce the risk that the opinion of the DPO disperses in the company offices before reaching the top figures, especially when dissenting, and, thus, it loses its effectiveness; this interpretation of the provision is confirmed by sentence no. 1043 of 21 December 2018 of TAR Sardegna, Sec. II[5].
Moreover, Article 38(6) GDPR is of paramount importance in terms of ensuring the DPO’s independence – in addition to the provisions of Article 39 GDPR. This is because Article 38(6) GDPR requires that the obligations contractually undertaken by the DPO do not give rise to any risk of conflict of interest with respect to the position and tasks assigned to the DPO by law[6]. According to the provisions of the Article 29 Working Party[7], conflicts of interest exist whenever the DPO has a role that leads him/her to take part in decision-making and processing activities; this approach is also confirmed by some decisions of the European Supervisory Authorities[8].
Other obligations to ensure the independence of the DPO include, by way of example, the following: the obligation to involve the DPO in the management of data protection issues in a timely manner through appropriate organisational measures[9]; the obligation to ensure that the DPO does not receive instructions on the exercise of his or her functions; and again, the obligation that the DPO is not in any way removed or penalised by the data controller for reasons related to the exercise of his or her functions (Article 38(3) (1st and 2nd sentence) of the GDPR)[10].
Concluding remarks and practical recommendations
The proper fulfilment of these obligations contributes to ensuring the independence of the DPO to a decisive extent. In fact, it is the main condition for the effectiveness of his or her contribution in the application of data protection compliance measures.
In this sense, it is very significant that the decision of the Luxembourg Supervisory Authority is part of an inspection programme specifically aimed at ascertaining the respect of the rules conceived to uphold the activities of the DPO. In fact, it is reasonable to believe that other European Supervisory Authorities may act in a similar way.
It is therefore strongly recommended that companies and public bodies implement measures to preserve the independence of the DPO and thus ensure that he/she is able to effectively carry out their work.
In conclusion, the most useful measures to ensure compliance with Articles 38 and 39 GDPR include the following:
-
-
-
- ensure that the DPO is involved in personal data protection issues in a timely manner by means of guidelines or other appropriate organisational mechanisms, and that he/she is able to have a dialogue and exchange views with the main functions involved in personal data processing activities (e.g., IT, HR, marketing, etc.) on a daily basis;
- provide the DPO with an organisational position that enables him or her to interface with the top management of the organization in a direct and immediate, agile, and efficient manner, without organisational filters or decision-making barriers;
- provide for a structural separation between the DPO’s office and the other corporate/administrative offices and adequately reflect this within the corporate/administrative/functional organisation chart;
- prepare guidelines and internal procedures containing practical and principled guidelines on the identification of conflicts of interest and remedies or actions to be taken where they arise (e.g., between the office of the DPO and any other roles held), particularly where it is not possible to achieve an organisational separation in the sense referred to above.
-
-
[1] See Délibération n° 20FR/2021 du 11 juin 2021.
[2] See, with reference to the configuration of the DPO as a measure to guarantee accountability obligations, the aforementioned Délibération n° 20FR/2021 du 11 juin 2021, which states as follows: “Quant à la nature et la gravité de la violation [article 83.2 a) du RGPD], en ce qui concerne les manquements aux articles 38.1, 38.3, 39.1 a) et 39.1 b) du RGPD, la formation restreinte relève que la nomination d’un DPD par un organisme ne saurait être efficiente et efficace, à savoir faciliter le respect du RGPD par l’organisme, que dans le cas où le DPD est associé dès le stade le plus précoce possible à toutes les questions relatives à la protection des données, exerce ses fonctions et missions en toute indépendance, exerce de façon effective ses missions, dont la mission d’information et de conseil du responsable du traitement et la mission de contrôle du respect du RGPD”.
In this respect, see L. Bolognini, E. Pelino, C. Bistolfi, Il Regolamento Privacy Europeo. Commentario alla nuova disciplina sulla protezione dei dati personali, Milan, 2016, p. 330.
[3] Although the independence of the DPO is primarily expressed in the provisions forming Article 38 GDPR, an explicit reference to it can only be found, as mentioned, in recital 97 of the GDPR, according to which “[…] Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. See also the Guidelines on Data Protection Officers (‘DPOs’) of the Article 29 Working Party, published on 13 December 2016 and amended on 5 April 2017; Documento di indirizzo su designazione, posizione e compiti del Responsabile della protezione dei dati (RPD) in ambito pubblico, published by the Garante per la protezione dei dati personali on 29 April 2021, and its earlier FAQs on the Data Protection Officer (DPO) in the private sector and those in the public sector.
[4] According to Article 38(3) of the GDPR: “The data protection officer shall directly report to the highest management level of the controller or the processor“.
[5] In this regard, see TAR Sardegna, Sec. II, sentence no. 1043 of 21 December 2018, which incidentally addressed the issue of the independence of the DPO within the Sardinian Regional Administration. Specifically, the sentence shows that the figure in question should be placed hierarchically as high as possible within complex organisational structures and such that the DPO should be placed “alle dirette dipendenze” (organisational, of course) of the managerial figures. The sentence also reveals a further significant aspect: the structure of the company’s organisational chart should guarantee the DPO an agile, streamlined and flexible channel of interface with the highest management level of the data controller.
[6] Article 38(6) of the GDPR states that: “The data protection officer may fulfil other tasks and duties” and that “The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests“. It should be noted that the letter of the provision refers to “result in a conflict of interests” and not, sic et simpliciter, of conflict of interest. Therefore, the interpreter is (prudently) forced to argue for a very broad scope of application of the rule, which also includes the mere risk of a conflict of interest.
[7] In particular, see Guidelines on Data Protection Officers (‘DPOs’) of the Article 29 Working Party.
[8] Concerning the presence of conflicts of interest, the decision of the Belgian Supervisory Authority is particularly significant: on 28 April 2020, it imposed a fine of €50,000 on a Belgian company, based, inter alia, on a breach of the obligation under Article 38(6) of the GDPR. In this case, the Belgian Supervisory Authority found that the DPO did not occupy a position sufficiently free from conflicts of interest, as he was also responsible for the compliance, risk management and internal audit departments. According to the Authority, the performance of this function was accompanied by an inevitable decision-making intervention by the DPO in determining the purposes and means of processing. In addition, the company was also criticised for not having rules and guidelines at the corporate level aimed at identifying and resolving any possible conflict of interest between the various positions held by the DPO pursuant to Article 38(6) of the GDPR.
In this regard, see also the communication of 15 February 2021 of the Icelandic Supervisory Authority, which denied the existence of a conflict of interest in a case where a person acted both as DPO and as compliance officer, given that the structure proved the adoption of internal procedures aimed at preventing, managing and resolving possible conflicts of interest.
See, again, TAR Sardegna, Sec. II, sentence no. 1043 of 21 December 2018, where it is stated that the organisational unit of the DPO should not be fragmented into sub-structures or sectors, but it should be autonomous and separate from the other corporate functions; this, of course, with the main purpose of avoiding that the organisational arrangement of the offices gives rise to a conflict of interest relevant under Article 38(6) of the GDPR.
[9] By virtue of Article 38(1) of the GDPR: “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
[10] By virtue of Article 38(3) of the GDPR: “The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks”.
