A DPO cannot be also a Data Processor for the Italian Privacy Authority

According to the Italian data protection authority, a DPO cannot play the role of data processor at the same time. 

The Italian Data Protection Authority, known as the “Garante”, issued a significant ruling that has far-reaching implications for appointing Data Protection Officers (DPOs) within any organization, highlighting the importance of avoiding conflicts of interest.

The Garante has taken a stance against the designation of an individual as a Data Protection Officer when the same person simultaneously holds a position of authority within a company responsible for processing personal data on behalf of the entity for which it acted as DPO (in this case, a municipality). This practice raises concerns about potential conflicts of interest, which the Garante deems incompatible with the role of a DPO.

The GDPR outlines the responsibilities of data processors. It also emphasizes the importance of independence and avoiding conflicts of interest. According to the EDPB’s Guidelines on Data Protection Officers, DPOs can undertake additional functions, provided they do not lead to conflicts of interest. This limitation includes refraining from roles within the organization that involve defining the purposes or methods of personal data processing.

In the case under issue, the Garante raised concerns about violating the GDPR due to the designation of an individual as a DPO who is entangled in a conflict of interest. This conflict arises from the fact that the individual holds a position contributing to critical decisions regarding data processing within the company designated as a data processor by the municipality. Additionally, the company’s influence in the decision-making process for selecting a DPO in the future could compromise the independent execution of the DPO’s duties. These duties include overseeing compliance with data protection regulations and the data controller’s policies, including the allocation of responsibilities.

The ruling by the Garante emphasizes the need for utmost transparency and impartiality in appointing Data Protection Officers. It underscores the significance of preventing conflicts of interest that could compromise the essential role of DPOs in safeguarding personal data and ensuring compliance with data protection laws.

The case is not the first one of the Garante on the topic since, in a previous case, it covered the potential conflicts of interest of a DPO with the external legal counsel. As such, it is a hot topic. Besides, you can find the following article interesting “The Italian privacy authority rules on the definition of personal data and the relevance of the DPO’s opinion“.