Under the European Union’s General Data Protection Regulation (GDPR), there are a number of requirements for appointing a Data Protection Officer (DPO). These obligations and restrictions are also reflected in the UK GDPR, as retained post-Brexit.

GDPR Article 38(6) specifies that “The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” Which other tasks and duties constitute a conflict of interests for a DPO has been the subject of a number of decisions by EU member state regulators.

A recent decision (19 December 2024) by the Garante per la Protezione dei Dati Personali (the Italian data protection regulator) specifies that the role of DPO is incompatible with the role of legal representative.

The appointment by Studio Riabilitazione Creditzia s.r.l.s. (the “Company”) of their legal representative as DPO, without informing the Garante of the appointment, constituted a breach of GDPR Articles 37, 38 and 39. This formed part of the basis for a EUR70,000 fine publicised by the Garante on 28 February 2025.

You might have thought that “legal representative” means an organisation’s lawyer, e.g. “Jessica Vautier at Bortstein Legal Group is our legal representative”. This interpretation suggests being both an in-house lawyer at, and the DPO of, the same company could be non-compliant. However, it appears that this is not the interpretation of the term in this case.

We understand that Italian companies are required to have a “legal representative” (usually a director/partner) who is responsible for representing the company in legal and administrative matters. This is a totally different concept from acting as a company’s lawyer. Instead, this accords with the existing understanding that it is a conflict of interest to be both a director and the DPO of the same company, as the “legal representative” will normally be a director or hold a similar role. As a director, you are responsible for determining the purposes and means of processing personal data, as directors are responsible for the conduct of the company’s business.

It is possible for in-house counsel to have conflicts of interest with the DPO role. The Article 29 Working Party stated in its 2017 Guidelines on Data Protection Officers (subsequently adopted by its successor, the European Data Protection Board) that in general individuals with senior management positions are conflicted out of DPO roles, as are external DPOs who are asked to represent the organisation in court regarding data protection issues. By extension, you could see how in-house counsel acting as DPOs might be prudent to avoid involvement in disputes involving data protection.

In the above decision from the Garante, the Company had appointed a DPO on a voluntary basis. The Garante reiterated the position that, where an organisation appoints a DPO voluntarily (i.e. despite not being legally required to do so under GDPR Article 37(1)), they remain subject to the requirements in Articles 37 to 39 with respect to their appointment as DPO, their position and tasks as if the appointment had been mandatory.
The practicality of these restrictions is questionable, particularly for smaller businesses which require DPOs. This is further limited by the GDPR requirement that DPOs are appointed on the basis of their data protection expertise, as this frequently prohibits the appointment of existing staff of smaller organisations. In practice, appointing an external DPO may be the only option for organisations without in-house data protection expertise, or where only the directors have sufficient experience.

In larger organisations, however, it is important to get the balance between giving the DPO enough seniority to do their job properly, but not so much that a conflict of interest arises. Article 38(3) of the GDPR requires that DPOs do not “receive any instructions regarding the exercise” of their tasks as DPO and must “directly report to the highest management level”. The intention is for this to give the DPO the independence they need in order to perform their role.

QUESTIONS? 

To discuss how this requirement may apply to your organisation, please contact Benjamin Ross (Global Head of Privacy & Cybersecurity) or Jessica Vautier (Senior Associate) in Bortstein Legal Group’s Privacy team.