WingNews logo WingNews
top | item 17096092

(no title)

quietdean | 7 years ago

That's a big assumption. In an executive/owner role where, say, you are the CTO, surely data protection (and therefore the risks and penalties involved in controlling this data) are a core concern? Owning or being in an executive position seems to me to be an investment of interest, not a conflict.

And even if such a conflict does arise, as it surely will somewhere, the text linked states that the controller and processor shall ensure that such a conflict does not exist. It does not say that "You can't do this because 'conflict of interest'", it just says those two roles will ensure there will be no conflict of interest. If you read all the guidance, you will see that the DPO is the most protected role. It has the least liability. The data controller and processor have their own responsibilities, from a liability pov.

Unless you are the business owner/executive, DPO, data controller and data processor...I can't see this being a conflict of interest. Ever.

discuss

order

ThePhysicist|7 years ago

I don't think it's a big assumption as the law as well as the guidelines clearly state that point (from "Guidelines on Data Protection Officers" [1] by WP29, pages 16 ff.):

> The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.

> As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.

In summary, if you have power to decide how or for what purposes the processing of the data is to be carried out you're probably not allowed to serve as DPO. Of course in the end it's the company's decision who to give that role to, but not following the guidelines increases the chance of non-compliance.

1: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_...