CJEU Clarifies Rules on Conflict of Interest in Relation to DPO Role
Time 1 Minute Read

On February 9, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the X-FAB Dresden case (C-453/21). In this decision, the CJEU clarified the criteria for assessing whether a conflict of interest exists between the Data Protection Officer (“DPO”) position, and other tasks or duties assigned to the DPO.

The CJEU emphasized that organizations must ensure that the DPO is not entrusted with tasks or duties which could impair the execution of their DPO obligations. Particularly, the DPO cannot determine the objectives and methods of a personal data processing activity.

A case-by-case assessment is required to determine whether a conflict of interest exists. This assessment should take into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor”.

The CJEU also confirmed the possibility of further restricting DPO dismissal under national laws, as long as such laws do not undermine the objectives of the GDPR.

Read CJEU’s decision.


Subscribe Arrow

Recent Posts




Jump to Page