The European Data Protection Supervisor (EDPS) said that the danger of data protection officers (DPOs) working at EU institutions being exposed to conflicts of interest was heightened in circumstances where those individuals fulfil their DPO role on a part time basis.
The EDPS said that it had identified the issue of potential conflicts of interest after analysing responses to a questionnaire it issued to all EU bodies, including the European Commission, the European Parliament, the Court of Justice of the European Union and the European Anti-fraud Office.
"With respect to the occupation of an administrative function, the EDPS acknowledges that it is important for a DPO to have a good understanding of the way the institution operates and of its personal data processing operations which are mainly carried out by the Administration," the EDPS said in a new report (43-page / 258KB PDF) on the status of DPOs. "However EU institutions and bodies should be careful to avoid any conflict of interests between DPO duties and any other official duties."
"In particular, part time DPOs should not act as data controller in their primary activity. This would be notably the case for a Head of Administration/HR or a Head of IT Unit since they are likely to be responsible for many processing operations," it said.
The EDPS said that its questionnaire had revealed that 55% of DPOs appointed by EU bodies are "temporary agents" with a further 15% are operating as "contractual agents". A quarter of DPOs are EU officials, whilst 5% are permanently employed by the bodies, it said.
The European Commission has outlined proposed reforms to EU data protection laws that would, if introduced, require many private sector companies and all public sector bodies to appoint a dedicated DPO.
However, under existing rules that relate only to EU institutions, each EU body is required to appoint a DPO that is supposed to be an independent monitor of data protection compliance and must keep a "register" of the processing operations the bodies carry out. The bodies must inform their DPO about any personal data "processing operation" prior to it starting. The notification should include certain information, such as the name and address of the body that would be responsible for the processing, the purpose of the processing and its legal basis.
The rules require that the DPO is suitably qualified to fulfil their role and that an EU institution's selection of an individual "shall not be liable to result in a conflict of interests between his or her duty as Data Protection Officer and any other official duties".
Currently DPOs must be appointed for a "term" period of at least two years and no more than five years in length. DPOs can be reappointed into their role but cannot serve more than 10 years in total in the job.
However, the EDPS said that it was concerned about the turnover of staff employed as DPOs after results from its questionnaire revealed that more than half of the DPOs currently appointed have served less than two years in the job.
"Different reasons can explain a high DPO turnover in a given institution/body, in particular a change in the structure of the organisation, the choice of a short term, the age of the DPO, the absence of definition of a term of office, a poor understanding of the skills required for the function or a failure to comply with conditional dismissal [rules] as set out in [the EU's Data Protection Regulation]," the watchdog said in its report.
"While it is not always easy to assess the actual reasons for an observed high turnover, the EDPS intends to closely follow the situation since it may affect both the expertise and the independence of the DPO," it added.
The EDPS said that it believes it is best for DPOs to be appointed to serve the maximum five year term by EU institutions. This would "guarantee both independence and expertise", it said.
In a statement assistant EPDS Giovanni Buttarelli, said that DPOs can help ensure that the "fundamental right to data protection" is observed.
"While we are delighted to report that the DPO function is well established within the EU administration, there are several areas of concern," he said. "As institutions are fully accountable for compliance with data protection rules, it is imperative that these concerns are addressed properly by the institutions and we intend to closely monitor and make recommendations as necessary."