Date
11.08.2025
The core principles regarding the appointment of a DPO are clearly defined in the GDPR. Nevertheless, we often still see organizations struggling with these basic principles. In this article, we revisit the principles of independence, involvement, and competence of the DPO.
A DPO Must Be Independent
Independence for DPOs mainly means that they must not have any conflicts of interest when carrying out their duties. Such conflicts of interest are certainly not unthinkable, especially since the GDPR clearly allows a DPO to have other responsibilities besides the DPO role. But where is the line?
The Court of Justice of the European Union (CJEU) explored this boundary in case C-453/21 and concluded that a problem arises when other tasks or responsibilities include determining how and why (purpose and means) personal data is processed within an organization. At that point, the DPOs find themselves in a position where they must advise on or supervise matters they were directly involved in.
In concrete terms, this means that roles in which the DPO holds a significant leadership position or is involved in decision-making within the organization are not acceptable in combination with the DPO role.
So, independence can be expected from a DPO, but this also means a DPO must enjoy certain protections: DPOs may not be dismissed for performing their duties. The CJEU has also ruled on this point, and there is even a case before a French-speaking labor court where a dismissed DPO was awarded compensation.
The DPO Must Be Involved and Able to Report Appropriately
However, independence does not mean that the DPO should operate in a vacuum. On the contrary, a DPO must be actively involved in matters concerning the processing of personal data. Advising or supervising cannot be done from a classic “Ivory Tower.” That responsibility does not lie solely with the DPO; internally, the role of the DPO must be integrated in such a way that they have access to all relevant information. This is something the Belgian DPA (GBA) has emphasized in earlier decisions (Dutch) — for example, regarding informing the DPO about incidents or proactively seeking their advice.
But involvement has little value if the DPO cannot advise at the appropriate level. Projects or activities that involve extensive or sensitive personal data are often strategically important or impact key processes within an organization. It is therefore inappropriate to report to just any manager. This is why, legally, the DPO must report to the highest level of management within the organization. The GBA has interpreted this strictly in the past — for instance, in a case where reporting solely to the general director of a municipality was not considered sufficient (Dutch); it should have been to the College of Mayor and Aldermen.
The DPO Must Have Sufficient Expertise
Advising on and monitoring personal data processing requires specific expertise. The legislators were aware of this when drafting the GDPR and explicitly stated that the DPO must have the necessary professional qualities to fulfill the role properly. In a previous decision, the GBA also ruled that the appointment of a DPO is not merely a formal requirement — the organization must be able to demonstrate (Dutch) that the appointed DPO meets the standards of knowledge and quality.
An important way to demonstrate that the DPO has the required expertise is through relevant training in data protection. A DPO job vacancy stating that “knowledge of GDPR is a plus” was therefore deemed insufficient by the GBA — this wording suggests that knowledge is not required, merely a bonus. Unsurprisingly, the GBA did not agree (Dutch) with that.
Want to Know More About the Role of a DPO?
Want to gain the knowledge to take on the role of DPO yourself? The Data Protection Institute is happy to help! In the coming period, we are even offering a special combination deal in our training programs: take the DPO certification training and receive a full year of Stay Tuned for free!
You can register via this link.
Date
11.08.2025
