Personal Data Protection: Who Can (and Cannot) Serve as a DPO?

Personal Data Protection: Who Can (and Cannot) Serve as a DPO?

Key Takeaways

The Data Protection Officer (DPO) plays a central role in the implementation of the GDPR and in overseeing compliance. While there is no predefined DPO profile, several criteria must be met in order to identify and appoint the right candidate.


The DPO occupies a strategic position in the implementation of the GDPR and in steering compliance within organizations. Neither a decision-maker nor a data controller, the DPO informs, advises, monitors, and facilitates compliance with personal data protection regulations.

The GDPR is now entering its eighth year of application. One might therefore expect that all organizations subject to it (public authorities, companies, associations, etc.) fully understand the rules governing the appointment of their DPO. However, while there is no set profile, several criteria must be met in order to identify and select the right candidate, as certain roles are incompatible with this position.

The purpose of this article is to outline the rules governing the appointment of DPOs and the criteria that must be met to avoid situations of incompatibility that could lead to the appointment being invalidated and thus to a violation of the GDPR.


1. Who Can Be Appointed as a DPO? Conditions and Legal Framework

The Data Protection Officer (DPO) lies at the core of GDPR implementation and compliance monitoring. The DPO’s role includes providing information and advice, monitoring compliance, and overseeing adherence to personal data protection regulations. However, several criteria must be met when identifying and appointing a DPO.

    1.1 Conditions and Criteria for Appointment

The conditions governing the appointment of a DPO, as well as their position and tasks, are set out in articles 37 to 39 of the GDPR.

The appointment of a DPO may be mandatory in the cases provided for under article 37 of the GDPR, or voluntary.

It is mandatory where the organization is:

     - a public authority or body (except for courts acting in their judicial capacity). This includes, for example, ministries, prefectures, regional and local authorities, regions, departments, municipalities, as well as public (and private) hospitals, universities, and public (and private)  schools;

     - or where the core activities of the controller or the processor consist of regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data. (1) This includes online services (e-commerce websites, social networks), online or telephone marketing services, hospitals, polling institutes, etc. (2)

Data processors may also be required to appoint a DPO, based on the same criteria applicable to controllers.

Organizations that do not meet the above criteria may nonetheless decide to appoint a DPO on a voluntary basis. In such cases, all provisions applicable to the DPO under the GDPR must be complied with.

Furthermore, the DPO may be internal to the organization (civil servant or employee) and may perform this function on a full-time or part-time basis, in addition to another role within the organization. The function may also be shared within a corporate group or among several organizations, particularly for smaller entities (municipalities, companies, associations), provided that each entity effectively has access to the DPO. Finally, the DPO may be external to the organization (consultant, attorney).

In all cases, the appointment must be formally documented (employment contract, job description, service agreement) and notified to the supervisory authority (e.g. CNIL). The DPO’s contact details must be made available to data subjects.

    1.2 Skills and Tasks of the DPO

There is no predefined profile for a DPO.

As a general rule, the DPO is appointed on the basis of their professional qualities and, in particular, expert knowledge of data protection law and practices. They must possess specialized knowledge in the field of data protection (including the GDPR, applicable national law, and European guidelines), a solid understanding of the organization’s sector of activity, and an operational grasp of information systems, data flows, and the security measures implemented by the organization.

The DPO’s tasks include:

     - monitoring compliance with the GDPR and with the organization’s internal policies, including conducting compliance audits and drafting and maintaining up-to-date compliance documentation (records of processing activities, internal policies, etc.);
     - advising on and supporting data protection impact assessments (DPIAs);
     - informing and advising the controller, as well as raising awareness and training staff;
     - acting as the contact point for and cooperating with the supervisory authority;
     - acting as the contact point for data subjects.

The DPO is bound by professional secrecy or an obligation of confidentiality (article 38 §5 GDPR). The DPO is not personally liable for the organization’s infringements of the GDPR; the controller or the processor remains accountable for compliance vis-à-vis third parties (data subjects and the supervisory authority).


2. Who Cannot Serve as a DPO? Independence and Conflicts of Interest

Several criteria may render the functions performed by an employee or consultant incompatible with the role of DPO. This issue, often overlooked, may have serious consequences in terms of GDPR non-compliance, exposing the controller to administrative fines.

    2.1 Independence, Conflicts of Interest, and Generally Incompatible Functions

Individuals whose position within the organization does not guarantee independence or the resources necessary to perform the role may not be appointed as DPO.

    - Independence: The DPO must not receive any instructions regarding the performance of their tasks and must not be dismissed or penalized by the controller for performing their duties (article 38 §3 GDPR).

The functional independence of the DPO was further clarified in two decisions of the Court of Justice of the European Union (CJEU) dated 9 February 2023. According to the Court, the principle of independence aims to ensure the protection of data subjects under the GDPR. However, this does not mean that a DPO cannot be dismissed, particularly where they are no longer able to perform their tasks independently or no longer possess the necessary professional qualifications. (3)

    - Conflict of interest: The GDPR excludes from the role of DPO any individual whose other functions within the organization would create a conflict of interest (article 38 §6 GDPR).

A conflict of interest may arise, in particular, where the prospective DPO also determines the purposes and means of the processing, thereby placing them in a position of being both “judge and party.”

The CJEU has clarified the concept of conflict of interest. A conflict may exist where a DPO “is entrusted with other duties or tasks which would result in that person determining the purposes and means of the processing of personal data on behalf of the controller or its processor.” The national court should verify the role performed by the DPO “on the basis of an assessment of all relevant circumstances, including the organizational structure of the controller or its processor,” and “in light of all applicable rules, including any internal rules of those entities.” (4)

    - External DPOs: The requirement to avoid conflicts of interest also applies to external DPOs. For example, attorneys appointed as external DPOs may not represent their client before the courts in litigation relating to data protection matters, as such a situation may give rise to a conflict of interest.

    - Incompatibilities: Incompatibilities must be assessed on a case-by-case basis, taking into account the company’s internal organization. Where an individual divides their time between the role of DPO and another function within the company, a conflict of interest may arise if that other function is likely to compromise their independence in performing their tasks as DPO.

For example, functions generally considered incompatible, and likely to create a conflict of interest, include senior management or executive roles, heads of IT, HR, marketing, finance, or medical departments, as well as any role involving decision-making authority over data processing activities (in particular with respect to the purposes and/or means of processing).

    2.2 Consequences of Appointing a DPO Performing Incompatible Functions

The appointment of a DPO who performs incompatible functions constitutes a standalone infringement of the GDPR, irrespective of any substantive breach of data protection rules.

Where a DPO is in a situation of conflict of interest, the supervisory authority may consider the appointment to be legally invalid, effectively treating the situation as if no DPO had been appointed and, consequently, as a breach of the GDPR.

The incompatibility between the individual’s functions within the organization and the role of DPO exposes the organization to administrative fines of up to €10 million or 2% of the total worldwide annual turnover (article 83 §4 GDPR), as well as corrective measures such as requiring the replacement of the DPO. However, before imposing a financial penalty, the supervisory authority will generally issue a warning to the organization, followed, where appropriate, by an order to bring the organization into compliance (including the appointment of a new DPO).

It should be noted that a finding by the French supervisory authority (CNIL) of a conflict of interest between the DPO’s mission and his or her duties within the company is often followed by a compliance audit.

* * * * * * * * * * *


(1) “Sensitive data” are defined in article 9 §1 of the GDPR as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and […] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.”

(2) Concepts such as “core activities,” “regular and systematic monitoring,” and “large scale” are clarified in the CNIL’s Practical Guide – Data Protection Officer (in French) and in the Guidelines on Data Protection Officers (DPOs).

(3) CJEU, 9 February 2023, Case C-453/21, X-FAB Dresden GmbH & Co. KG; and CJEU, 9 February 2023, Case C-560/21, ZS v. KISA.

(4) CJEU, 9 February 2023, Case C-453/21, X-FAB Dresden GmbH & Co. KG.

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

February 2026

Go back to News and Publications

Mots clés :

advertising (1) adwords (3) ai (27) anssi (3) arcep (5) arcom (21) artificial intelligence (11) audiovisual (2) audit (4) blockchain (8) cbpr (7) children (4) cjeu (2) cloud computing (3) cnil (22) commerce (6) communication (9) compliance (40) confidentiality (1) consumers (3) contract (9) cookies (6) copyright (5) cross-border data transfers (8) cybercrime (2) cybersquatting (3) data controller (3) data privacy (20) data privacy framework (2) database (1) digital accessibility (1) domain names (2) dpf (2) drones (1) dsa (10) e-commerce (17) e-consumers (1) employee (3) encryption (1) eu (24) europe (23) france (15) fraud (1) gdpr (34) general data protection regulation (11) indexing (2) information technology (9) intellectual property (10) internet (36) ip (5) legal training (4) liability (5) métavers (3) networks (1) nft (4) privacy (16) privacy shield (2) regulation (4) robotics (7) rpa (6) safe harbor (2) search engines (4) security (3) singapore (5) social media (7) software (7) terms and conditions (gtc's) (1) trademark (2) uas (1) unmanned aircraft (1) us (3) video game (3)