The chairman of a company may not be a DPO at the same time. A fine for Specer
For almost six years, the chairman of the board of directors of a medical company was also the Data Protection Officer (DPO). This is contrary to the GDPR, as it does not guarantee that the obligations relating to the protection of personal data within the organisation will be carried out independently and objectively.
After finding that infringement, the President of the Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of PLN 11 365 on the company.
A company whose activities are focused on the provision of medical services notified an incident with data in 2023 to the President of the Personal Data Protection Office: someone else’s documents were issued to the patient. According to the notification, the chairman of the company was also the DPO.
The President of the Personal Data Protection Office therefore initiated administrative proceedings in order to clarify how that happened.
It appeared that the company, the data controller, was aware that the DPO had to be independent from the company’s authorities in order to be able to report on the risks. However, the company took the view that the exercise of that function by the chairman himself did not threaten that independence - citation “we consider the current solution to be optimal, guaranteeing the best material care for the data subjects, the company as controller and the DPO.”
According to the President of the Personal Data Protection Office, the company relied on individual, incorrect interpretations of Article 38 (6) GDPR, drawing inappropriate conclusions. It considered that, since it carried out activities covered by medical confidentiality, there was no conflict of interest between the board of directors and the DPO. The protection of patients’ medical records and the protection of their data is simply one of the company’s most important obligations and is carried out by the chairman.
As is apparent from the explanations provided by the controller, ‘although, in companies active in other sectors, the interests of the chairman of the board of directors may be incompatible with those of the data subjects which the DPO seeks to protect, those interests are consistent in the case of [companies] and the performance of tasks relating to the protection of medical confidentiality and patient information carried out by the chairman does not preclude the effective performance of the tasks in the area of protection of personal data, and indeed the two areas are complementary’.
According to the President of the Personal Data Protection Office, that reasoning is incorrect: a company can take organisational and technical care to ensure the security of personal data only if the DPO, independent of the DPO’s management, can inform them of problems and indicate what and how to improve, even if this is difficult and seems costly.
The President of the Personal Data Protection Office indicated in the decision that the Data Protection Officer is the person who is to assist the controller and the processor in ensuring that the processing and data protection comply with the rules on the protection of personal data.
Therefore, the GDPR explicitly states that the Data Protection Officer may perform other tasks and duties only if they do not give rise to a conflict of interest.
A conflict of interest is a situation where there is a fear that certain circumstances may adversely affect the impartial and disinterested performance of official duties. The chairman of the company may not perform the duties of DPO in such a way.
Decision in Polish: https://orzeczenia.uodo.gov.pl/document/urn:ndoc:gov:pl:uodo:2025:dkn_5131_7/content?query=