GDPR Penalty and the Role of the DPO

The Polish Data Protection Authority has imposed a GDPR administrative penalty in a case that raises an important: DPO independens.

Unfortunately, the publicly available description of this case is quite limited, which makes detailed analysis difficult. However, the decision itself touches a fundamental governance issue.

Based on UODO communication, the authority questioned whether the organization ensured:

➡️ proper independence,

➡️ and whether the way the function was organized could lead to a conflict of interest.

This aligns with GDPR, which require that the DPO:

➡️ performs their tasks independently,

➡️ is not instructed regarding the exercise of their duties,

➡️ and does not hold a position that results in determining the purposes and means of processing.

Obraz autorstwa creativeart na Freepik

In my view, the independence of the DPO is non-negotiable, but independence must be understood correctly.

The DPO should not combine their role with positions that directly decide about personal data processing, such as:

➡️ HR,

➡️ operational IT management,

➡️ business ownership,

➡️ administration or operational decision-making roles.

These functions clearly create a structural conflict of interest.

However, independence does not automatically exclude all other roles.

Security and Privacy

Where I strongly disagree with overly rigid interpretations is the idea that a DPO cannot be combined with information security responsibilities.

If we look at this pragmatically:

➡️ information security does not define the purposes of processing,

➡️ security focuses on confidentiality, integrity, and availability, privacy and security objectives are largely aligned.

In smaller organizations especially, combining the roles of CISO and DPO can make sense. In such cases, I see synergy rather than conflict.

Time, Capacity, and Budget Conflicts

The real problem often appears elsewhere.

If, in practice:

➡️ the person formally appointed as DPO spends only 10% of their time on DPO tasks,

➡️ core obligations under GDPR are not fulfilled,

➡️ and time allocation is driven by operational priorities of another role,

➡️ then we are dealing with a functional conflict of interest, not necessarily a structural one.

This is a governance failure related to resource allocation, not job titles.

Governance Models

From a governance perspective:

➡️ the DPO is not a third line of defense,

➡️ the role clearly belongs to the second line.

This is consistent with:

➡️ the COSO model,

➡️ the IIA ThreeLinesModel.

In the same line, we often find:

➡️ Risk Manager,

➡️ Compliance Officer,

➡️ CISO,

➡️ Information Security Officer,

➡️ Health & Safety Officer,

➡️ Classified Information Security Officer.

These roles are advisory, oversight-oriented, and independent from day-to-day operations.

Link

Author: Sebastian Burgemejster