The Data Protection Officer (DPO) Cannot Represent Their Client
The Spanish Data Protection Agency (AEPD) has significantly increased its oversight and enforcement of the General Data Protection Regulation (GDPR) in recent years, leading to a surge in penalties for non-compliant organizations. In this context, the role of the Data Protection Officer (DPO) has become increasingly important. However, a recurring question in the legal and business spheres is the extent to which a DPO can represent an organization in enforcement proceedings initiated by the AEPD.
Functions of the Data Protection Officer
The DPO is a key figure in the field of personal data protection, whose primary function is to ensure compliance with data protection regulations within an organization. Their main duties include:
- Informing and advising: the data controller or processor and employees about their obligations under the GDPR and other applicable regulations.
- Monitoring: compliance with the GDPR and the organization’s internal data protection policies.
- Cooperating: with the supervisory authority (in Spain, the AEPD) in the performance of its functions and with data subjects in the exercise of their rights.
In short, the DPO acts as an internal guarantor of data protection, ensuring that:
- Personal data is processed lawfully, fairly, and transparently.
- The rights of data subjects are respected.
- Risks to the rights and freedoms of individuals are minimized.
When is it mandatory to appoint a DPO?
The appointment of a DPO is mandatory in certain cases, such as:
- When the processing is carried out by a public authority or body.
- When the core activities of the controller or processor consist of processing operations that require a large-scale data protection impact assessment.
- When the controller or processor carries out on a large scale the processing of special categories of data or personal data relating to criminal convictions and offenses.
Sanction for a Data Protection Officer
A DPO was sanctioned by the AEPD for submitting claims on behalf of the data controller in an enforcement proceeding.
Although the DPO argued that they merely acted as a point of contact and that the data controller was aware of everything, the AEPD considered that:
- The DPO exceeded their authority: by submitting the claims and signing the document as the author, they assumed a role that could compromise their independence.
- There was a conflict of interest: by advising the data controller and, at the same time, defending them in the enforcement proceedings.
- The separation of duties was not respecte between the DPO and the data controller, which is essential to guarantee the impartiality of the DPO.
The AEPD concluded that this conduct was not a simple error, but a serious violation that jeopardized the independence and integrity of the DPO.
In summary, the AEPD has set a clear precedent: the DPO must maintain strict independence and cannot assume roles that could create conflicts of interest.
In Letslaw, we are specialists in data protection and we act as Data Protection Officers for our clients. If you need more information, please contact us.
Paula Ferrándiz es abogada especialista en Propiedad Intelectual e Industrial, Nuevas Tecnologías y Derecho de la Competencia.
Apasionada del sector digital y las redes sociales presta asesoramiento legal a todo tipo de clientes tanto nacionales como internacionales en materia de protección de datos, comercio electrónico, publicidad y marketing digital entre otras.
More from my site
The AEPD and the General Council of Official Medical Associations agree to collaborate to promote the medical data protection n the digital world
Data protection in biometric identification
Data Protection and its connection to Artificial Intelligence
Data Protection Impact Assessment: Esential aspects
Spanish Data Protection rules on requesting the Identity Card for the habeas data
Data Protection enforces “zero tolerance” for dissemination of intimate videos