News

⚠️When a DPO Oversteps Their Role

🔍 Context:
Following the receipt of unsolicited newsletters from a recruitment agency, a data subject submitted an access request under Article 15 of the GDPR.

📨 As the responses were incomplete, the individual filed a complaint with the Data Protection Authority (DPA).

💣 The investigation revealed that, to prevent further unsolicited emails, the DPO unilaterally decided to unsubscribe the individual and delete their personal data.

🚨 What the GDPR says:

📌 The DPO must not act in place of the data controller or make decisions on the purposes and means of processing.

📖 Article 4(7) of the GDPR:

The data controller is the natural or legal person who determines the purposes and means of processing personal data.

🎯 The DPO’s responsibilities include:

• Informing and advising the controller and staff.
• Monitoring compliance with data protection rules.
• Acting as the contact point for the supervisory authority and data subjects.

⚠️ Conflict of Interest: Article 38(6) of the GDPR

The DPO may perform other tasks, provided they do not result in a conflict of interest.

🚫 In this case, the agency appointed its Head of Compliance, Risk, and Audit as DPO, thereby creating a clear conflict of interest.

⚖️ Consequences:

💸 Administrative fine: €50,000
📉 Damage to reputation
📌 Reminder of the DPO’s strict functional boundaries