Is an external DPO in a situation of conflict of interest if he performs IT maintenance?

Hello there ! :slight_smile:

I have here an interesting question from a colleague, and to answer it, I would have liked to have had your opinion.

An organization happens to have an external DPO who is also an experienced IT specialist. This organization would like to be able to call on the skills of this DPO to carry out IT maintenance (no sale of equipment, products or licenses, just advice and service). The question that arises, is this a situation of conflict of interest? If so, what measures can be taken to avoid this situation, or is it blocking?

In my interpretation, a situation of conflict of interest for a DPO arises when he decides on the objectives and means of implementation of a treatment. This person being external to the organization, he does not participate in the decision-making of the objectives and purposes, but on the other hand in the means of implementation. In addition, there is no supply of material, but only labor time at a fixed rate.

What is your opinion on this issue? What possible measures could be taken to allow this situation? Or, on the contrary, is a conflict of interest inevitable and this person cannot therefore perform computer maintenance services ?

Thanks by advance ! :slight_smile:

The GPDR explicitly allows that the “data protection officer may fulfil other tasks and duties”, as long as there are no conflicts of interest. Relevant EU-wide guidance is WP 243 which gives examples of conflicts of interest:

The other tasks and duties of a DPO must not result in a conflict of interests. This means, first, that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.

As a rule of thumb, conflicting positions within the organisation may include senior management positions (such … head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.

So since the DPO has an internal oversight function, they cannot also have data controller-like responsibilities and cannot represent the controller.

In your example, it is clear that there is opportunity for some degree of conflict of interest, but also that the DPO’s other tasks are not controller-like – in particular, no input on the purposes of processing, and only limited input on means as part of maintenance tasks. Thus, I would expect that the DPO is able to fulfil their oversight duty.

I’d be more uncomfortable with this situation if the DPO would also be responsible for acquiring, implementing, developing, or setting up new systems, for example being responsible for replacing a CRM or ERP solution. It might also avoid conflicts of interest if the DPO cannot recommend technical measures that lead to significantly more business on the maintenance contract.

1 Like
FAQ | Privacy Policy |  ToS