by Dr. Patrick Grosmann, M.A.//
I. Introduction
In the data protection organization, the DPO plays a central role as an internal control body. At the same time, this central figure faces various potential conflicts of interest. Some conflicts (regarding the assignment of other tasks) are obvious, such as those between the role of a DPO and positions in executive management or as heads of IT or HR departments. This is offset by the regulations regarding the independence of DPOs under Art. 38 (3) GDPR, which ensures that DPOs do not receive instructions regarding their tasks. In practice, other (and less apparent) potential conflict situations can influence the performance of the DPO’s duties. The conflicts of interest described can affect internal and external DPOs as well as company and public authority DPOs in equal measure.
The following presentation shows the conflict situations of the DPO that are particularly relevant in practice. Only legally relevant conflicts of interest are taken into account. Legally relevant conflicts of interest arise when the legal system has made a valuation in favor of a position, and the enforcement of this position is threatened. In practice, DPOs face numerous potential conflicts that may jeopardize their independent status and task performance.
II. Central conflict situations in practice
1. Conflict through performance of other tasks
Art. 38 (6) GDPR prohibits the assignment of tasks that could lead to conflicts of interest. However, a strict separation is often not feasible in practice. Positions with relevant decision-making authority over data processing are particularly prone to conflicts. This includes leadership roles such as IT managers, HR managers, or heads of legal departments. Even IT department employees without leadership roles may face conflicts if they have significant influence over the scope of data processing.
In addition, there are some dual roles whose potential for conflict is assessed differently, for example that of a works council member or a head of compliance department. Multiple assignments can also lead to a relevant conflict of interest – one example is the incompatibility of the role of the DPO and the IT security officer.
2. Conflict between consulting and monitoring
A structural conflict of interest arises from the DPO’s dual function as both advisor and internal control body. On one hand, they should comprehensively advise the controller; on the other, they must monitor the controller’s data processing activities. This can lead to conflicts, for example, in conducting data protection impact assessments.
3. Conflict in advising various addressee groups
Art. 39 (1) lit. a) GDPR tasks the DPO with informing and advising both the controller and the employees. Simultaneously, Art. 38 (4) GDPR positions the DPO as a contact point for data subjects. This can lead to practical conflicts when the interests of the controller and data subjects diverge.
4. Conflict in Cooperation with supervisory authorities
According to Art. 39 (1) lit. d) and e) GDPR, the DPO should cooperate with the supervisory authority and act as a contact point. This can lead to conflicts when the supervisory authority requests information that could jeopardize the controller’s interests.
5. Conflict in detecting serious violations
When a DPO identifies serious data protection violations that the controller is unwilling to address, they face a conflict between their commitment to data protection and their loyalty obligations to the controller.
6. Conflict in advising multiple Parties to data protection contracts
Advising multiple parties to data protection contracts (e.g., Data Processing Agreements or Joint Controller Agreements) can lead to conflicts of interest in contract consultation, especially for external DPOs designated by both parties.
7. Conflict from the basic relationship
Conflicts can arise from the fundamental relationship, whether it’s an employment relationship, civil service relationship, or service relationship:
-
Internal DPOs face tension between contractual subordination and data protection-related independence.
-
External DPOs must balance independence with economic dependence on the client.
-
Public authority DPOs may face conflicts due to civil service subordination
8. Special conflicts for lawyer DPOs
Lawyers serving as DPOs face specific conflicts arising from simultaneously applicable professional law. The lawyer’s duty to protect client interests can conflict with the neutral position required of a DPO.
III. Legal responses
Legal responses to conflict of interest of DPOs arise from both data protection law and the underlying legal relationship. The fiduciary duties within the underlying relationship are particularly significant. Gaps in DPO regulations can be partially addressed through these approaches.
Data protection law provides rules on the DPO’s position (Art. 38 GDPR) and tasks (Art. 39 GDPR), including provisions on designation, dismissal, resource allocation, and structural access. The controller’s duty to ensure independence is overarching. Confidentiality requirements (Art. 38 (5) GDPR) reinforce trust, while Art. 38 (6) GDPR explicitly prohibits conflicting task assignments.
Fiduciary duties from the underlying legal relationship form the second key component, influencing the DPO’s position and practical duties. These apply to all DPO types but are particularly relevant for external DPOs. Specific obligations may vary based on circumstances, potentially including disclosure or resignation duties in evident conflict situations. Additional legal considerations may arise from dual trust relationships or, for public sector DPOs, administrative law principles.
IV. Reducing Conflict Potential
The risk of these conflict potentials can be reduced through organizational and legal measures:
-
The DPO role should be filled by a person who cannot decide on data processing matters. When assigning further tasks, it must be ensured that these are not accompanied by any decision-making authority regarding data processing. Particular caution is also required in the case of multiple designations – it must be ensured that no conflict of interest arises from these.
-
Strengthen the DPO’s independent position by providing adequate personnel and material resources. The material resources include resources for training, literature and expert (technical or legal) advice. The human resources required depend significantly on the size and complexity of the respective organization.
-
Implement effective protection against disadvantages related to task performance. Such protection against discrimination can be ensured by a data protection-friendly self-image of the respective organization.
-
Make potential conflict situations transparent and document them to recognize conflicts early. To make conflict situations transparent, the data protection officer can also use his direct reporting channel to the management.
-
The data protection officer can call in external expertise to avoid conflict situations and strengthen the independent position. Lawyers or IT security experts can be called in for advice. As the complexity of data processing increases, so does the need for such external advice.
V. Conclusion
The potential conflict areas for DPOs are primarily linked to their position, tasks, and basic relationship with the organization. Conflicts of interest represent a central challenge for DPOs. The outlined conflict situations demonstrate that the current legal regulations are not necessarily suitable for reliably preventing conflicts of interest in practice.
Dr. Patrick Grosmann, M.A.: Lawyer at the law firm FPS in Frankfurt. Certified data protection officer (TÜV®) and data protection auditor (DGI®), doctorate on conflicts of interest of data protection officers, lecturer for data protection officers. He advises on IT and data protection law as well as cyber security law.