“No one can serve two masters” – why managing directors cannot also be data protection officers

Author: Ilka Kuci

In a decision dated October 16th, 2024 (Ref. No.: 2024-0.641.771), the Austrian Data Protection Authority (DPA) clarified that a person cannot simultaneously serve as both the managing director and the data protection officer (DPO) of a company – at least not without specific measures to avoid conflicts of interest.

The case

A managing director of a limited liability company (GmbH) was also appointed data protection officer. The company had not taken any discernible precautions to ensure that this dual role did not give rise to conflicts of interest. The DPA considered this a violation of the GDPR (Art. 38 para. 6) and imposed a fine of EUR 5,000.

The DPA’s reasoning

The GDPR, specifically Art. 38 para. 6 GDPR, generally allows a data protection officer to also perform other tasks. There is therefore no per se ban on a dual function. However, these other duties must not lead to a conflict of interest. The DPA takes the view that such a conflict typically exists in the case of managing directors and generally assumes that their role is incompatible with the role of a data protection officer. Depending on the nature, size, and structure of an organization, the Article 29 Data Protection Working Party recommends the following to address “conflicts of interest” in its guidelines on data protection officers (WP 243 rev.01, available at: https://www.dsb.gv.at/europa-internationales/europaeischer_datenschutzausschuss_ edsa.html, pp. 19f):

to identify roles that are incompatible with the DPO function,
to establish internal policies to avoid conflicts of interest,
to provide a general explanation of potential conflicts of interest,
to declare, that the DPO does not have a conflict of interest in relation to their function and thus raise awareness of this requirement,
to include safeguards in internal policies and ensure that the job posting for the DPO position or the relevant service contract is precise enough to prevent conflicts of interest. In this context, it should be noted that conflicts of interest can take different forms depending on whether the DPO is recruited internally or externally.

It is important to note:

The personal union of “managing director and data protection officer” is tricky. A conflict of interest can possibly be avoided if the DPA guidelines (WP 243 rev.01, pp. 19f) are followed.
The data protection officer must be properly reported to the DPA. Any externally recognizable measures taken to avoid a conflict of interest must be disclosed to the DPA.

Conclusion

The DPA takes a strict stance on the independence of the data protection officer. In its view, only those who clearly separate responsibilities can genuinely uphold data protection. Control must not be exercised by those who are simultaneously responsible for the decisions to be controlled. After all, no one can serve two masters.

Disclaimer

This article is for general information only and does not replace legal advice. Haslinger / Nagele Rechtsanwälte GmbH assumes no liability for the content and correctness of this article.