Skip to main content

Slovenia’s ICO defines DPO’s additional tasks that could result in a conflict of interests


Paragraph 6, Article 38 of the General Data Protection Regulation (GDPR) allows the Data Protection Officer (DPO) to fulfil other tasks and duties (beside serving as the DPO) for the controller or processor, provided however, that fulfilling such additional assignments doesn’t amount to a conflict of interest.

The Article 29 Working Party Guidelines on Data Protection Officers (‘DPOs’) further explain that the DPO should not “hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data”. A list of typically or presumably conflicting positions within the organisation is also included in the Guidelines (page 16).

On November 9, 2018, the Slovenia’s Information Commissioner (Informacijski pooblaščenec) published on their website the Recommendations regarding the operations of the DPO, which include a list of tasks that, if performed by the DPO, would typically result in a conflict of interest and should therefore be avoided by the DPO. These include:


  • deciding upon the rights and obligations of an individual;
  • deciding on setting-up new filing systems, defining purposes and scope of processing;
  • deciding on organizational and technical measures for the security of the personal data;
  • deciding on engaging the processors and drafting of contracts between the organisation and the processors;
  • deciding on the transfer of personal data to third countries or international organisations;
  • carrying out of a data protection impact assessment (DPIA);
  • setting-up or updating a record of processing activities;
  • other tasks that include decision-making related to personal data where the DPO would find her/himself in a situation when she or he would have to scrutinise their own decisions.

In our view, the abovementioned examples support the often-overlooked fact that the DPO is not, and should not be, a (top) personal data operative, but rather a high-profile expert who should be spared from any day-to-day (processing) operations involving personal data.


Article provided by: Matija Jamnik (JK Group, Slovenia)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.