08.10.2025

A Data Protection Officer without independence – a real legal risk

Recently, two important decisions have been issued regarding Data Protection Officers (DPOs) – one by the Provincial Administrative Court (WSA) and another in proceedings before the President of the Polish Data Protection Authority (UODO). Both concern a key aspect of the DPO’s role – independence. In both cases, serious irregularities were identified in the organisational position of the DPO, which directly affected the effectiveness of personal data protection. A lack of genuine independence of the DPO constitutes a serious breach of the GDPR, which may result in significant financial penalties. This is a good time to recall: what constitutes a conflict of interest, and what obligations arise for controllers under Article 38 GDPR.

The Data Protection Officer must be independent

According to Article 38(3) GDPR, the controller must ensure that the DPO does not receive any instructions regarding the performance of their tasks. The DPO should also report directly to the highest level of management.

DPO independence is not a formality – it is one of the foundations of effective data protection within an organisation. A lack of independence constitutes a violation of the GDPR, and therefore creates legal risks arising from improper data protection.

UODO vs. Toyota Bank Polska S.A.

The President of UODO found that Toyota Bank Polska S.A., as the data controller, had created a situation in which the DPO was not fully independent. The DPO did not report directly to the bank’s top management (i.e., the Management Board) – instead, they worked as an IT auditor/security specialist and later in the security department, reporting directly to the department director. However, the director was also responsible for managing data processing activities and overseeing data security controls.

Financial consequences and the WSA judgment

As a result, UODO imposed a financial penalty of PLN 261,918 on the bank. The bank appealed the decision to the court but lost.
In its judgment of 18 September 2025, the Provincial Administrative Court (WSA) upheld UODO’s position, finding that the DPO’s employment arrangement was contrary to the law. The controller failed to ensure that the DPO could perform their tasks without receiving instructions on how to carry them out. Therefore, the court dismissed the bank’s complaint.

The DPO as a management board member

In another case, UODO conducted proceedings against a medical services company in which the President of the Management Board simultaneously acted as the DPO. The company argued that this arrangement did not threaten the DPO’s independence, claiming that medical confidentiality excluded any conflict of interest and that the company’s president would best safeguard patients’ data. UODO, however, found this interpretation of Article 38(6) GDPR to be incorrect.

The DPO and conflict of interest

Under Article 38(6) GDPR, a DPO may perform other tasks and duties, provided that these do not result in a conflict of interest.
It is the controller’s responsibility to ensure that such conflicts do not arise. A conflict of interest occurs when circumstances could negatively influence the impartial and independent performance of the DPO’s duties.

UODO’s decision

According to UODO, the company violated the GDPR, as the President of the Management Board cannot simultaneously serve as the DPO.
Such an organisational setup contradicts the GDPR and does not guarantee that data protection obligations will be performed independently and objectively. A company can only effectively manage and secure personal data when an independent DPO can freely inform management about problems and indicate what needs improvement. UODO imposed a fine of PLN 11,365 on the company.

Conflict of interest in practice

A DPO must be independent of the individuals they monitor.
This principle has been reaffirmed in multiple UODO decisions, which emphasise that only an independent DPO can effectively ensure GDPR compliance.

In practice, conflicts of interest and lack of independence most often occur when the DPO simultaneously serves as:

  • a management board member,
  • an IT or security director, or
  • an auditor responsible for systems processing personal data.

Key takeaways for data controllers and processors

As a data controller or processor appointing a DPO within your organisation, you should:

  • Review the DPO’s organisational position – do they report directly to top management?
  • Identify potential conflicts of interest – the DPO cannot perform functions they are meant to supervise.
  • Ensure real independence – avoid situations where the DPO operates under managerial or hierarchical pressure.
  • Avoid treating the DPO as a formality – their role is not symbolic, but a key element of the data protection and GDPR compliance system.
Author

Bogdan Setlak

Marketing specialist

bogdan.setlak@kwkr.pl

KWKR Experts

1 4 5 6 7 8 46

Newsletter

Want to stay up to date?
Subscribe to our newsletter.

By entering your e-mail address above and clicking ‘Subscribe!’ you declare that you have read and accept the Terms of Service and subscribe to the newsletter, i.e. information on legal topics, including information on important legal events, legislative changes and the Law Firm's activities, services and products, via e-mail communication.

The controller of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with its registered office in Kraków, Kącik 4 Street, 30-549 Kraków. Your data will be processed in order to provide the newsletter service and thus send commercial and marketing information to the e-mail address provided, in accordance with the Privacy Policy and the Terms of Service. For more information on the principles of personal data processing, including your rights, please see the Privacy Policy.

Please wait...

Thank you for sign up!