The growing importance of the Data Protection Officer (DPO) within corporate environments highlights the need to ensure the independence and impartiality of this role . Because the DPO performs advisory, monitoring, and reporting functions — including on sensitive matters that may diverge from the organization’s interests — the proper performance of these duties requires the ability to act freely and without undue restriction.
In this context, identifying potential conflicts of interest involving the DPO is essential. A conflict of interest arises when personal, professional, or institutional interests interfere with a person’s ability to act objectively and impartially. In the case of the DPO, such a conflict may occur when the officer simultaneously holds positions that influence decisions regarding the purposes or means of personal data processing, or when their activities are subordinated to organizational interests that are incompatible with their duty to advise, monitor, and report independently.
Incompatibility of Functions
Guidance issued by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) indicates that certain roles are incompatible with the function of a DPO. These include executive management positions and roles in human resources, information technology, marketing, or finance, as these functions involve strategic decision-making that may place the company’s commercial interests in opposition to the fundamental right to personal data protection.
For example, a DPO who also works in marketing may hesitate to report security incidents out of concern for potential reputational damage to the company. Situations like this highlight the importance of the principle of independence, which is expressly established under the GDPR and reflected in the guidance of the Brazilian National Data Protection Authority (ANPD).
Although Brazil’s General Data Protection Law (LGPD) does not explicitly establish the principle of independence, Resolution CD/ANPD No. 18/2024 reinforces the requirement that the DPO must perform their duties impartially and without conflicts of interest. Under this resolution, the DPO is responsible for declaring any situation that may give rise to a conflict of interest, while the data controller must prevent and remedy such situations, including by (i) refraining from appointing the professional, (ii) adopting measures to eliminate the risk, or (iii) replacing the DPO if the conflict persists.
Best Practices to Prevent Conflicts of Interest
Adopting best practices is essential to ensure the independence and impartiality of the DPO. Among the key measures recommended by the GDPR and Resolution CD/ANPD No. 18/2024 are: (i) ensuring hierarchical separation between the DPO and the departments responsible for decisions regarding data processing; (ii) establishing direct reporting lines to senior management; and (iii) providing adequate human, technological, and financial resources to enable the DPO to properly perform their duties.
Additional measures include formalizing internal policies that clearly regulate the accumulation of functions and require periodic declarations of absence of conflicts of interest, creating privacy committees, ensuring ongoing training, and establishing secure communication channels with senior management.
Practical Cases and International Sanctions
Conflicts of interest may lead to significant sanctions within the European Union. In Belgium, for instance, a company was fined €50,000 under Article 38(6) of the GDPR after authorities found that the DPO held conflicting roles by simultaneously serving as Director of Audit, Risk, and Compliance. A similar case occurred in Germany, where a company was fined €525,000 because the same individual acted as both DPO and director of two service provider companies within the same corporate group. In February 2023, the Court of Justice of the European Union (CJEU) examined Case C-453/21, which addressed whether holding the positions of both chair of the workers’ council and DPO constituted a conflict of interest. The Court concluded that such overlap could undermine the independence of the DPO and left it to national courts to assess the specific circumstances of each case. In Brazil, although no specific precedents have yet been established, a violation resulting from a conflict of interest may lead to the application of the sanctions provided for in Article 52 of the LGPD.
Conclusion
The role of the DPO is strategic for corporate governance and for fostering a culture of privacy, going beyond a mere legal requirement. To perform their duties with independence, integrity, and effectiveness, it is essential to understand the obligations established under the GDPR, the LGPD, and Resolution No. 18/2024. Building robust privacy governance depends not only on legal rules but also on an organizational culture that values transparency and prevents conflicts of interest, while ensuring the technical autonomy of the DPO.
GTLawyers provides specialized support in the implementation and improvement of privacy programs, including ongoing legal assistance to DPOs and DPO as a Service solutions. Its services aim to ensure regulatory compliance, promote best governance practices, and mitigate risks, while preserving the independence and credibility of the DPO as a key pillar of institutional trust.
