Just a few days ago, the Greek Data Protection Authority (Greek DPA) published a new announcement in relation to the Data Protection Officer (DPO) role. As per this announcement, the Greek DPA consider that the DPO cannot represent the controller in proceedings before the supervisory authority, because the independence of the DPO could be questioned and this situation could lead to conflict of interest.
One of the main concerns around the DPO role is the ability to perform their duties in an independent manner within their organisation. According to the General Data Protection Regulation (GDPR), the DPO cannot be instructed by the controller on how to develop and perform their tasks, so the DPO should decide directly how to deal with an issue, how to investigate a complaint or how to interpret the data protection laws. Furthermore, if the DPO fulfils other tasks and duties, these cannot result in a conflict of interests.
The Greek DPA, therefore, relied on these provisions of the GDPR to state that the DPO should not be the person representing the controller or processor before the supervisory authority. However, the GDPR also states that the DPO must act “as the contact point for the supervisory authority on issues relating to processing”, which can lead to consider that the Greek DPA might have adopted a contra legem interpretation.
So far, only the Art.29 Working Party Guidelines on Data Protection Officers noted that a conflict of interests may arise if an external DPO is asked to represent the controller or processor before the courts in relation to data protection issues. However, the Greek DPA has gone one step further applying the same approach in the case of any type of DPO in proceedings before, not just the courts, but also the supervisory authority.
Now the question is whether other authorities in the European Union will share the interpretation of the Greek DPA. It will be worth remaining vigilant in case there are other pronouncements or decisions in this regard, whether by authorities, courts or even the European Data Protection Board.