Trailblazing Your Path To Optimal Cyber Risk
Organizations have faced significant difficulties in finding suitable DPO candidates due to high expertise standards, expectations regarding availability and language skills, and limited pool of qualified candidates. Thus, many organizations have resorted to an seemingly easy choice of designating someone from their workforce as their DPO. This decision is permitted under Article 38.6 GDPR, which allows organizations to appoint a DPO who also performs "other tasks and duties" as long as there is no conflict of interest.
On February 9, 2023 the Court of Justice of the European Union (CJEU) delivered a verdict in the X-FAB case. This ruling elaborated on the guidelines for evaluating the presence of a conflict of interest between the role of the Data Protection Officer (DPO) and any other responsibilities assigned to the DPO.
In the X-FAB vs FC case, the German company X-FAB had appointed an employee "FC" as its data protection officer (DPO). However, the employee also performed the duties of chair of the works council in that company, leading to concerns over conflicts of interest.
The German supervisory authority (SA) responsible for data protection initiated proceedings against X-FAB, ordered the company to remove the employee from the position of DPO. Following this request, X-FAB dismissed FC from his duties as DPO.
X-FAB challenged the SA's decision, arguing that the employee's multiple roles did not create a conflict of interest and seeks to retain the position of DPO of X-FAB. X-FAB continues to take the stance that there is a risk of a conflict of interests and these two posts are incompatible, hence FC’s dismissal as DPO is reasonable.
The case was then referred to the Court of Justice of the European Union (CJEU) for a ruling on whether a person holding several positions within a company can effectively carry out the duties of a DPO and whether such a situation constitutes a conflict of interest.
In its ruling, the CJEU held that a person holding several positions within a company can be appointed as a DPO as long as there is no conflict of interest between their different roles. The court also stated that the DPO must be able to perform their duties in an independent and objective manner, without any influence from the company's management. The court found that in this particular case, the employee's multiple roles within X-FAB did create a conflict of interest, as they could not carry out their DPO duties independently. Therefore, the CJEU upheld the SA's decision to order X-FAB to remove the employee from the position of DPO.
The ruling has important implications for companies appointing DPOs, as it clarifies the need for the DPO to have sufficient independence and avoid conflicts of interest. It is the responsibility of the organization, not the DPO, to ensure that tasks and duties assigned to the DPO do not put them in a conflicting position. Many organizations appoint split-role DPOs due to the inability to employ a full-time DPO, but this can potentially create a conflict of interest. Examples of such roles include in-house legal counsel, Chief Information Security Officer, or CEO.
To determine the presence of a conflict of interest, the ruling advocates an assessment on a case-by-case basis. It recommends that the assessment must take into account all relevant circumstances, especially the organizational framework of the controller or processor, and consider all relevant regulations, including any policies of the controller or processor. A good practice would be to employ an external organization for the DPO function, as this provides the best option for independent oversight.
© 2025 All Rights Reserved. CYRVANA® is a registered trademark of Cyrvana Inc. All other trademarks, service marks, and logos used on this site are the property of their respective owners. The use of customer and partner logos does not imply endorsement by or affiliation with Cyrvana. Privacy | Terms | Legal | Cookie Preferences
