After an inspection initiated in 2021 to assess the controller's implementation of Article 38 GDPR requirements, related to the Data Protection Officer ("DPO") role, Datatilsynet, the Norwegian Data Protection Authority ("DPA" or "Norwegian DPA") published in March 2025 a decision in which it applied a fine of NOK 4 mil. (approx. 333,000 EUR). The controller was sanctioned after the DPA found that the company designated a DPO without conducting an internal analysis to determine whether it was mandatory or not to do so. Additionally, there was no formalized internal procedure to ensure that the DPO was involved in all issues related to the processing of personal data.
The DPO was deemed to be informally involved, on a case-by-case basis, which posed a risk of possible inconsistent compliance practices within the company. The company also failed in supplying proper support in staffing, training and access to information to the DPO. Even more, the DPO did not have direct access to the highest management level, which rendered performance ineffective. Also, the position of the DPO within the organization did not ensure the independence required by the applicable framework.
This lack of independence was also fostered by the fact that the DPO had additional roles and duties which were not properly documented in order to avoid possible conflicts with the regular duties related to processing of personal data. The controller did not undergo any formal conflict of interest assessment prior to the designation of these supplementary tasks to the employee also holding the DPO position. The formal documentation was, in fact, necessary. This is because there was ambiguity in the interaction between the DPO duties and the other role, mainly because the legal function of the person concerned may have influenced the data processing decisions of the company. Furthermore, there was no internal documentation attesting that the DPO was clearly excluded from decisions on data processing activities, meaning that there is no guarantee that the DPO did not determine the purposes or means of processing.
This Decision of the Norwegian DPA is just a recent example of an ongoing concern related to regulatory compliance of DPOs. A similar instance in the very recent case-law of the CJEU is the X-FAB case1. The judgment concerned an employee named FC who worked as chair of the works council and as vice-chair of the central works council for three other entities in the same group as X-FAB. Later, FC was also designated as DPO for X-FAB and other connected companies. After the entry into force of the GDPR, he was dismissed as a DPO due to an alleged conflict of interest identified by the company between the positions held. For this article, the preliminary question which is of interest asks in what circumstances may the existence of a 'conflict of interests', within the meaning of Article 38(6) of the GDPR, be established. The judges first recalled that Article 38 does not exclude the DPO from holding other duties within the company. "Conflict of interests" refers to how these other duties impair the execution of the functions performed by the DPO. Thus, the judges defined the concept also stating that the assessment of the conflict of interests must be done on a case-by-case basis so as to avoid such situations. Additionally, CJEU added that the other duties of a DPO cannot lead to them determining the means or purposes of data processing for the company, which are usually elements to be reviewed objectively by a DPO. Consequently, we see that the reasoning in X-FAB (first set out by WP29's Guidelines on DPOs, endorsed by the EDPB2) was closely followed by the Norwegian DPA in applying the NOK 4 mil. fine.
The two cases analyzed are not isolated examples. An Enforcement Action undertaken by the European Data Protection Board ("EDPB") in relation to 20233 shows that the sources for conflicts of interest are varied, and they affect a surprising number of companies across the EU. For example, the Enforcement Action shows that only 45.82% of contacted DPOs worked full time, meaning that more than half of surveyed DPOs work part-time, which poses operational risks. Even more, 33.97% of DPOs were shared among several organizations. Therefore, a third of surveyed respondents run the risk of working for companies with conflicting interests or even working for the controller and the processor of the same processing activity. Similarly, in 7 Member States, more than 20% of respondents answered that the DPO belonged to the highest management (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments), which implies a lack of impartiality in relation to the company's compliance with GDPR requirements. This means that, first, the person may have to choose between the interests of the company and respecting the DPO duties and, second, that the DPO might be involved in determining the means and purposes of data processing. In fact, 17% of respondents outright specified that the DPO takes part in the decision-making process for personal data processing. A similar percentage of 13.82% of respondents in each MS reported that the DPO receives instructions for their tasks and duties, thus reflecting an issue in understanding the role of the DPO as an independent advisor.
Another source of conflict is in the form of budgetary constraints. Concretely, only 47% of surveyed DPOs reported that they manage independently the budget that they have been allocated. This raises an issue for operational independence, as it can lead to hesitancy for the DPO criticizing and reporting on the organization or to a lack in properly managing their tasks and duties due to financial constraints. Clearly, this is in direct contradiction with WP29's Guidelines on DPOs, which state that the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions4.
Special care should be taken in relation to external DPOs. Here, multiple practices have been identified as non-compliant with the DPO requirements. The contractual relationship with an external DPO should be carefully thought out in order not to lead to direct or indirect control of the DPO's tasks and duties. For example, an agreement for data processing activities, where the external DPO is a de facto processor, is non-compliant. Another worrying example is given by EDPB in the case of lawyers acting as external DPOs, where the Board raises awareness about the incompatibility between this activity and representing the same client in court in data processing cases.
Having first understood what situations give rise to these concerns and, secondly, the widespread level of these issues, it is important to turn to measures meant to prevent conflicts of interest for DPOs. If an audit on the DPO position has identified such problems, it is paramount to review and adapt internal policies and documents to include a clear definition of the DPO role within the company, of its tasks and duties and proper safeguards that other tasks cannot lead to conflicts of interest for the DPO. Furthermore, measures should be implemented to properly involve the DPO in all matters related to data protection and a direct reporting line to the highest management must be ensured. The DPO must be able to document independence issues and the internal documents should be able to explain what a conflict of interest is for the DPO and how it is to be avoided. In the event that the DPO position becomes available, the recruitment announcement must make clear the conditions in which other people already employed may apply, in order to avoid any conflicts of interest from the beginning. Finally, the DPO must benefit from enough resources, both financial and timewise.
In any case, the lesson must be clear by now for interested organizations, their DPOs and the hats they wish to wear. Unfortunately, some colors just do not go well together and, in data protection, unlike in haute couture, the fashion police really exist, and they apply real fines.
Footnotes
1 Case C-453/21, X-FAB Dresden, 9 February 2023.
2 Article 29 Data Protection Working Party, "Guidelines on Data Protection Officers ('DPOs')", adopted on 13 December 2016, as last Revised and Adopted on 5 April 2017, 16.
3 EDPB's 2023 Coordinated Enforcement Action on Designation and Position of Data Protection Officers (16 January 2024).
4 Article 29 Data Protection Working Party, "Guidelines on Data Protection Officers ('DPOs')", adopted on 13 December 2016, as last Revised and Adopted on 5 April 2017 (Endorsed by EDPB), 15.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
