Authorities in Belgium, the Netherlands, and Luxembourg are paying closer attention to how organizations appoint their Data Protection Officers (DPOs). They are especially focused on making sure DPOs can work independently, without a conflict of interest and have enough resources to do their job properly.
In the Netherlands, the Dutch Authority for Personal Data (AP) recently (December 2024) highlighted problems with DPOs not being independent enough. A conflict of interest has been determined according to the AP especially when DPOs at the same time also held roles as Privacy Officer (PO), Chief Information Security Officer (CISO) or Compliance Officer.
The Belgian Data Protection Authority echoed these concerns in a statement from earlier last year (January 2024). It points out that many companies do not provide DPOs with enough resources and access to decision-makers.
Luxembourg’s CNPD has also acted on these issues and imposed fines and issued warnings (for instance 18FR/2021 and 37FR/2021). These cases confirmed that organizations must avoid conflicts of interest for DPOs and provide enough resources for them. Failing to do so can lead to investigations and in the worst case, fines.
EDPB Survey Reveals Gaps in DPO Independence and Resource Allocation
These developments tie in with the findings from a survey conducted by the EDPB. The survey gathered insights from data protection authorities across the EU to assess how organizations appoint and support their DPOs. It focused on key aspects such as the DPO’s independence, resources provided, and their role within the organization. The findings of the survey showed that while many organizations formally comply with the requirement to appoint a DPO, there are gaps in ensuring their independence and providing adequate resources.
The Dutch AP explicitly points out:
“If the AP receives signals about possible conflicts of interest of a DPO, the AP can take measures. […] If the person responsible does not take any measures to resolve the conflict of interest, the AP can then impose administrative sanctions.”
Companies should review their DPO arrangements as soon as possible to avoid penalties and maintain trust with regulators.