Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed.
In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor.”
The CJEU said this is “a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances.”
This is likely to be an “increasingly important, and hard,” distinction for privacy pros and organizations as they “grapple with the challenging confluence of regulatory compliance and business practice,” IAPP Director of Research and Insights Joe Jones said.
“That could be an intractable position for many organizations where their DPO wears many different hats, some of which may afford decision-making powers on what data to process, why and how,” he said.
The ruling comes ahead of the European Data Protection Board’s