Empty Link Skip to Content

Two hats, many clashes? CJEU Confirms Test for DPO Conflict of Interest

The CJEU has confirmed that a "conflict of interest" exists when a Data Protection Officer ("DPO") is also assigned other tasks or duties which require them to make decisions about the objectives and methods of personal data processing on behalf of their employer. A common example of this is where the appointed DPO also performs another role such as COO or CTO – which is regularly the case for Irish and multinational businesses.


In Case C-453/21, X-FAB Dresden GmbH & CO. KG v FC ("X-FAB Dresden"), FC, an employee of X-FAB Dresden GmbH, was chair of its works council, and vice-chair of the central works council for the group to which it belonged. In June 2015, the company, its parent and the other group subsidiaries ("the undertakings") all separately appointed FC as their DPO.

On the competent supervisory authority's request, the undertakings dismissed FC from his DPO duties, due to a conflict of interests in his roles. This was due to the fact that, as DPO, FC was required to directly report to the highest management level of the controller or processor, i.e. the works council(s) of which FC was chair and vice-chair.

In the action brought by FC before the German courts, FC sought a declaration that he retain the position of DPO of X-FAB. X-FAB submitted that there was a risk of a conflict of interests if FC simultaneously performed the functions of DPO and chair of the works council, on the ground that those two posts are incompatible. X-FAB argued that there was, therefore, a just cause justifying FC’s dismissal as DPO.

The courts of first instance and of appeal upheld FC’s action. The appeal on a point of law brought by X-FAB before the Federal Labour Court, Germany, which is the referring court, sought to have that action dismissed.

The referring court observed that the outcome of the appeal depended on the interpretation of EU law. In particular, the question arose as to whether the second sentence of Article 38(3) of the GDPR and the prohibition on the dismissal of DPOs for performing their tasks, precludes Germany from imposing stricter conditions for dismissing a DPO than those laid down by EU law. The referring court also asked whether the function of chair of the works council and of DPO of that undertaking may be performed by one and the same person or whether that would give rise to a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR.

CJEU decision

The CJEU found that Member States are permitted to introduce additional protections against the dismissal of DPOs, but any such protections cannot undermine the achievement of the objectives of the GDPR. This may arise if a DPO cannot be dismissed when they no longer possess the professional qualities required to perform their tasks, as required by Article 37(5) GDPR (as previously noted by the CJEU in Leistritz, Case C-534/20).

In addition, the CJEU found that any increased protection for the DPO which would prevent their dismissal in the event that they are no longer in a position to act in an independent manner, due to a conflict of interests, would undermine the objectives of the GDPR.

The CJEU held that it is inconsistent with the required independence of the DPO role for the same individual to be advising the business on its data protection compliance, while also making decisions about how to carry out processing activities.  A core part of the DPO role is to review the objectives and methods of processing independently, and this is not possible where the DPO is also the person making the final decision. The existence of a conflict of interests must be assessed on a case-by-case basis, taking into account all relevant circumstances, including the organisational structure of the controller or its processor, and any other applicable rules, including any relevant policies of the controller or its processor.

The findings in X-FAB Dresden provide a timely reminder for DPOs of their statutory obligation to avoid holding any other role that would result in a conflict of interests, as this month the EDPB launches its coordinated enforcement action for 2023 on the designation and position of DPOs ("CEA 2023"). The CEA 2023 will assess if organisations have met their applicable DPO requirements under Articles 37-39 GDPR, and whether DPOs have the necessary resources to carry out their tasks. National supervisory authorities, will implement the CEA 2023 through questionnaires to DPOs and formal investigations into certain identified organisations. [1]

The CJEU's decision follows earlier Article 29 Working Party Guidance that a DPO "cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data" [2].

National Supervisory Authority Positions

X-FAB Dresden follows a series of national decisions which reach similar conclusions. The following roles were considered to present a "conflict of interest" when assigned to a DPO:

  • Head of Compliance, Risk Management and Internal Audit [3];
  • Head of Operational Risk Management, Information Risk Management, and Special Investigations Unit in a bank [4];
  • MLRO / Head of Compliance [5];
  • Defence counsel for the controller or processor in litigation [6];
  • Deputy General Counsel for the controller [7]; and
  • Managing Director of other subsidiaries within a group. [8]

I'm a DPO – can I be personally liable for having tasks which result in a conflict of interest?

The onus is on controllers and processors to ensure the DPO avoids holding conflicting positions. [9] Article 38(6) GDPR does not hold the DPO personally liable. However, the CJEU is due to decide on whether GDPR proceedings for an administrative fine in Germany may be brought directly against a natural person later this year. [10]

Avoiding conflicts of interest – Key takeaways for organisations

  • Involve your DPO in matters involving the processing, but ensure they are not designated any decision-making authority.
  • If a significant personal data-related decision arises in the context of the DPO's other role, they should delegate someone of appropriate seniority to make the decision on their behalf (and document that they have done so).
  • In the event of a personal data breach, the DPO should attend meetings on the incident and provide a view or opinion, but should not be the party who determines the risk of the breach and / or if the controller should notify the relevant supervisory authority.
  • When appointing a DPO, map potential appointees' pre-existing responsibilities to identify if any involve making a decision on personal data processing and if they can be mitigated or transferred. A review of your organisation's Record of Processing Activities should assist here.
  • Ensure DPO contracts or appointment letters contain sufficient detail regarding any tasks or responsibilities that would constitute a "conflicting" position. A declaration of no conflict by an incoming DPO may also be appropriate.
  • Document any mitigating measures for potentially conflicting positions in the relevant data protection policies.

Contact Us

If you would like to discuss this article, or any other related data protection and data privacy matters concerning your business, please do not hesitate to contact  any other member of the  Technology and Innovation Group

This article discusses DPOs and conflicts of interest. For advice on DPOs more generally, please see previous Matheson publications

With thanks to Anna Nichols for her contribution to this article.

[1] EDPB Press Release, Launch of Coordinated Enforcement on Role of Data Protection Officers, 15 March 2023.

[2] Article 29 Working Party Guidance on DPOs, 5 April 2017 (adopted by the EDPB at its inaugural meeting on 25 May 2018).

[3] Decision 18/2020, DPA of Belgium dated 28 April 2020, resulting in a €50,000 fine aggravated by the company's lack of a conflict of interest policy.

[4] Decision 141/2021, DPA of Belgium dated 16 December 2021, resulting in a €75,000 fine and an order to ensure the DPO had no "additional tasks or duties giving rise to a conflict of interest".

[5] Deliberation 37FR/2021, DPA of Luxembourg dated 13 October 2021, resulting in the DPA finding that the countersigning of conflicted processing practices breached Article 38(6). The company avoided a fine by appointing a new DPO during the DPA investigation.

[6] Decision 979485, DPA of Italy dated 9 June 2022, resulting in a €26,000 fine.

[7] Decision 2020061979, DPA of Iceland dated 4 August 2022, resulting in an order to transfer the DPO's conflicting tasks to another member of staff.

[8] Decision dated 20 September 2022, DPA of Berlin, resulting in a €525,000 fine.

[9] Articles 38(3) and 38(6) GDPR.

[10] C-807/21 Deutsche Wohnen, heard by CJEU on 17 January 2023.