Agata Baca for Dziennik Gazeta Prawna: “Independence of the Data Protection Officer is a condition for effective data protection”
The Data Protection Officer should monitor compliance with the GDPR, not follow the instructions of superiors. In practice, in many companies, DPOs still operate within structures subordinate to IT, HR or security departments, which may violate the provisions of the GDPR. Recent decisions of the President of the Polish Data Protection Authority (PUODO) and court rulings show that such irregularities can generate costs amounting to hundreds of thousands of PLN. These issues are discussed by associate Agata Baca in her article published in Dziennik Gazeta Prawna. Read the article in Polish here!
Why is DPO independence so important?
According to Article 38 of the GDPR, the Data Protection Officer must operate without a conflict of interest and maintain full independence. Only under such conditions can a data protection system within an organisation function effectively. Unfortunately, reality often diverges from legal requirements — DPOs report to department heads responsible for data processing, supervise systems they themselves manage, or even sit on the management boards of companies whose activities they are supposed to oversee.
Costly mistakes – examples from case law
Recent decisions by supervisory authorities illustrate the consequences of violating the principle of DPO independence. Toyota Bank Polska S.A. received a fine of PLN 261,918 for placing its DPO in the IT security department, where he reported to a director overseeing data processing operations. In another case, the PUODO imposed a fine of PLN 11,365 on a medical company whose DPO was also the CEO — a situation deemed a clear conflict of interest.
What must data controllers ensure?
The data controller is obliged to create conditions that allow the DPO to operate independently. Key requirements include: direct reporting of the DPO to top management (the management board), a prohibition on giving the DPO instructions regarding the performance of their tasks, provision of adequate resources, and involvement in all matters related to data protection. The DPO cannot simultaneously perform functions that involve determining the purposes and means of data processing — they should not head IT, HR, finance, or security departments. Appointing a DPO who is also a member of the management board is also a poor solution, as it creates a situation where the same person makes decisions and simultaneously supervises them.
Outsourcing as a solution
For many organisations, especially smaller ones, outsourcing the DPO function may be the best option. Entrusting this role to an external entity helps maintain impartiality and minimises the risk of conflicts of interest. It is also worth remembering that violating DPO independence may result in penalties of up to EUR 10 million or 2% of the company’s global annual turnover — whichever amount is higher. Beyond financial penalties, a company also risks the loss of reputation and customer trust.
What penalties can companies face for the improper placement of a DPO within their organisational structure? Can a controller or a member of the management board serve as a Data Protection Officer? How can organisations ensure real DPO independence and avoid conflicts of interest? These and many other questions are addressed by Agata Baca in her article published in Dziennik Gazeta Prawna.
