The Article 29 Working Party Guidelines on Data Protection Officers (‘DPOs’) further explain that the DPO should not “hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data”. A list of typically or presumably conflicting positions within the organisation is also included in the Guidelines (page 16).
On November 9, 2018, the Slovenia’s Information Commissioner (Informacijski pooblaščenec) published on their website the Recommendations regarding the operations of the DPO, which include a list of tasks that, if performed by the DPO, would typically result in a conflict of interest and should therefore be avoided by the DPO. These include:
- deciding upon the rights and obligations of an individual;
- deciding on setting-up new filing systems, defining purposes and scope of processing;
- deciding on organizational and technical measures for the security of the personal data;
- deciding on engaging the processors and drafting of contracts between the organisation and the processors;
- deciding on the transfer of personal data to third countries or international organisations;
- carrying out of a data protection impact assessment (DPIA);
- setting-up or updating a record of processing activities;
- other tasks that include decision-making related to personal data where the DPO would find her/himself in a situation when she or he would have to scrutinise their own decisions.
In our view, the abovementioned examples support the often-overlooked fact that the DPO is not, and should not be, a (top) personal data operative, but rather a high-profile expert who should be spared from any day-to-day (processing) operations involving personal data.
Article provided by: Matija Jamnik (JK Group, Slovenia)