19/01/2024
The DPO cannot simultaneously perform tasks that would limit his independence. Thus, among other things, he cannot hold a senior position in the company that involves determining the means and purposes of data processing, or even hold lower positions if they are involved in determining the purposes and means of data processing.
The data protection officer, or DPO, is the most important entity in a company when it comes to processing personal data. This position can only be held by an individual – the law does not allow the option of entrusting this role to a legal entity. According to recital 97 of the RODO, this person should have expertise in data protection law and practices. With that said, “the necessary level of expertise must be determined in particular in light of the processing operations carried out and the protection required by the personal data processed by the controller or processor” (Recital 97, RODO). An enterprise can choose a data protection officer from among its employees, hire a person for such a position, or entrust the task to an external entity. Regardless of whether the DPO has an employment relationship with the business owner, he must perform his tasks independently and objectively, taking into account the risks associated with data processing operations.
According to Art. 11 of the Law on Personal Data Protection, an enterprise that has appointed a data protection officer shall make the data protection officer’s details available on its website as soon as the officer is appointed. Most often, the data protection officer’s details are included in the body of regulations or privacy policies. If the business owner does not maintain its own website, it must make the data protection officer’s details available in a manner generally available at the place of business. In addition, it is the entrepreneur’s duty to notify the President of the Office of Personal Data Protection (OPAP) of the appointment of such a person.
Most companies in Poland are not required to appoint a data protection officer – they may or may not use this option. The Data Protection Regulation imposes this requirement only on a select group of businesses. According to Art. 37(1) RODO, the obligation to appoint a DPO occurs when:
the main activity of the controller or processor consists in large-scale processing of special categories of personal data referred to in Art. 9 processing of special categories of personal data para. 1, and personal data on convictions and violations of the law, as referred to in Art. 10 processing of personal data on criminal convictions and violations.”
The data protection officer is appointed to carry out various tasks, which are listed in Art. 39 paragraph. 1 RODO. First, it is his responsibility to notify the data controller of a particular company and the employees who process personal data, of their obligations under applicable laws. His task is also to advise these individuals in fulfilling their obligations. Second, it is the IOD’s responsibility to monitor the company’s compliance with the Data Protection Regulation. The DPO should take measures to inform data processors and raise awareness among employed personnel about data protection. The IOD’s duties also include conducting audits and:
In practice, the scope of the IOD’s authority is often much broader than that under the RODO. Many companies, especially those with limited budgets, entrust the data protection officer with all the data processing duties imposed on businesses by law. However, business owners should realize that Art. 38(1). 6 RODO has introduced some restrictions in this regard. According to the aforementioned provision of the law, “the Data Protection Officer may perform other tasks and duties. The controller or processor shall ensure that such tasks and responsibilities do not create a conflict of interest.” This is due to the need to provide the DPO with a certain amount of autonomy and independence in their activities.
In practice, a conflict of interest that will limit the DPO’s independence will arise when the DPO simultaneously performs tasks related to determining the purposes and means of data processing. It doesn’t stop there. Conflicts of interest can also arise if the IOD combines his function with holding a management position in the company at the same time. Another example of the occurrence of conflicts of interest in certain situations may be the simultaneous combination of the duties of the data protection officer with those of the administrator of the information system. What else should an IOD avoid? In practice, the data protection officer should combine his function with the position where he is responsible for granting authorizations. It is also problematic to perform the function of the DPO with simultaneous review of personal data processing contracts and development of personal data protection documentation.
The working group for the Protection of Individuals was an independent advisory body established under Art. 29 Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995. on the protection of natural persons with regard to the processing of personal data and the free flow of such data. Among other things, its task was to issue opinions and recommendations. According to her assessment, it is possible to list the positions whose occupation with simultaneous IOD functions will lead to a conflict of interest. “As a general rule, executive positions, such as CEO, CIO, will be considered to cause a conflict of interest. Operations, Chief Financial Officer, Chief Operating Officer. medical, marketing manager, HR manager, IT manager), but also lower positions if they are involved in determining the purposes and means of data processing” (Article 29 Data Protection Working Party).
It is in the interest of companies to reduce conflicts of interest. Its exclusion is a condition for the proper performance of the tasks belonging to the Data Protection Officer. This is not the only reason why an entrepreneur should take care of its absence. The exclusion of conflict is also a requirement of the law. A company that fails to comply with the prevention of conflicts of interest and assigns the duties belonging to the IOD to a person occupying a position whose combination with the administrator’s work would be considered a conflict of interest can expect administrative fines to be imposed on them. The amount of such a fine can be up to €10,000,000, and in the case of a company, it can be levied at up to 2% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying.
How to reduce the risk of conflict of interest in a company? To this end, it is useful to follow the good practices identified by the Working Group. According to its recommendations, you can “identify positions that are incompatible with the DPO role, declare that there is no conflict of interest in serving as the current DPO, develop internal policies that prevent the combination of positions within the company that have a conflict of interest, and incorporate safeguards into the organization’s internal policies to ensure that recruitment announcements for the DPO position or service contracts are sufficiently clear and precise to mitigate the risk of a conflict of interest” (https://uodo.gov.pl/pl/495/2415, accessed on 13/3/2024).
12/04/2024
What is a good leaver and bad leaver in ESOPs?The terms good leaver and bad leaver allow to classify the beneficiaries of an option program leaving the company due to the way these beneficiaries part ways with the company. The former terminates cooperation for reasons not attributable to...
05/04/2024
Tax benefits of employee participation in ESOPsAn employee’s participation in an ESOP comes with financial benefits and certain tax advantages. Upon meeting certain conditions, an employee beneficiary of an ESOP does not have to pay income tax directly on the acquisition of shares under such...
18/06/2024
NIS2 – what is it, who does it affect and why should you prepare today?The NIS 2 Directive ( (EU) 2022/2555) aims to significantly improve the level of resilience against cyber attacks, strengthen the protection of personal data and increase trust in digital services in the European Union. Member states have until October...
