Our remarks ° The tasks and duties of the DPO should be regularly • The independence of the DPO is critical in ensuring reviewed to ensure they remain independent and compliance. Monitoring one’s own decisions is not in conflict with other responsibilities within the incompatible with the role of a DPO, who must act organization. independently of the controller or processor. To ° Data controllers should establish a reporting avoid risking a conflict of interest when appointing mechanism that allows employees to report any or instructing a Data Protection Officer, and to concerns about the DPO’s independence or conflicts generally ensure a compliant DPO practice, of interest. consider the following: ° The DPO cannot be responsible for the processing ° The DPO should have direct access to the highest activities of the data controller or processor, as this management level and should not receive any would not fulfill the requirement for independence. instructions regarding the exercise of their tasks. Therefore, a DPO typically cannot hold the position ° The controller should ensure that the DPO is properly of the top IT or HR executive in an organization. involved and informed in a timely manner about all Instead, an employee who does not have ultimate issues which relate to the protection of personal data. responsibility for these areas may be appointed as DPO. ° The DPO should be provided with adequate resources to enable them to perform their tasks effectively and ° Although a DPO may fulfill other tasks and duties independently. beyond those of the DPO role, the controller must ensure that these additional tasks do not lead to a conflict of interest for the DPO. Published: 20-09-2022 Journal number: N/A Tags: 01 Legal basis and principles of processing 53