Back

Conflict of Interest and the Data Protection Officer under the GDPR

29 July, 2025

Written by : Miriam Friedmann , Moshe Lehmann , Yuval Eliaz

In recent months, data protection authorities across the European Union have increasingly imposed fines on organizations for appointing Data Protection Officers (DPOs) with conflicts of interest. These enforcement actions serve as a clear warning that organizations must take DPO independence seriously to avoid significant regulatory penalties.

The Role of the DPO

Articles 37-39 of the General Data Protection Regulation (GDPR) set out the role of the DPO, who is tasked with ensuring its organization’s compliance with privacy obligations. Not every organization is required to appoint a DPO; the role is necessary only in certain circumstances, including when the organization’s core activities require regular, systematic, and large-scale monitoring or when the organization processes special categories of data on a large scale. Under the GDPR, the DPO must be provided with adequate resources, report to the highest management level, and must be free from conflicts of interest. The DPO may fulfill other tasks and duties in the organization, but such tasks and duties cannot result in a conflict of interest. 

Israeli privacy law also relates to DPOs. With the entering into force of Amendment 13 to the Israeli Privacy Protection Law in August 2025, the appointment of a DPO is mandatory in certain circumstances. The circumstances where a DPO is required, as well as the DPO’s role and responsibilities under Israeli law mirror the GDPR’s requirements to a large extent, including the requirement that a DPO remain free from conflicts of interest. Amendment 13 explicitly restricts a DPO from maintaining any other role in the company or from being directly managed by an officer of the company if such an arrangement would raise concerns of a conflict of interest.

The Independence of the DPO under the GDPR

The definition of what constitutes a “conflict of interest” has been clarified by both the Court of Justice of the European Union (CJEU) and regulatory guidance. In case C-453/21 X-FAB Dresden GmbH & Co. KG v FC, the CJEU held that a conflict of interest arises if the DPO is involved in determining the purposes and means of personal data processing. The Court emphasized that the existence of a conflict must be assessed on a case-by-case basis, considering the organization’s structure and internal policies. Further, the Article 29 Data Protection Working Party’s Guidelines on Data Protection Officers provide practical examples of roles that typically create conflicts of interest. These include senior management positions such as CEO, CFO, and COO, as well as heads of departments like IT, HR, or Marketing, and any role that determines the purposes and means of processing personal data. In a guideline published by the Israeli Privacy Protection Authority in January 2022 (prior to the obligation to the legislation of Amendment 13), these WP Guidelines were referenced in connection with a discussion on the matter of avoiding conflicts of interest. 

A Growing Focus on DPO Conflicts of Interest in the EU

Recent enforcement actions across Europe demonstrate a clear trend: data protection authorities are increasingly scrutinizing DPO appointments and imposing significant penalties where conflicts of interest are found. 

  • In Austria, the data protection authority fined a COVID-19 testing lab €5,000 for appointing its managing director as DPO, finding that senior management roles are fundamentally incompatible with the DPO’s supervisory duties (the decision was published in January 2025).
  • In Croatia, the data protection authority fined a company €12,000 for appointing its procurator, a key decision-maker, as DPO, and imposed a €40,000 fine against a business information publisher for appointing a director as DPO and misclassifying personal data; these decisions were published in 2025.
  • In Norway, on March 10, 2025, Telenor ASA was fined approximately $380,000 for failing to ensure DPO independence, not addressing conflicts of interest, and lacking a direct reporting line to senior management.
  • In Poland, Toyota Bank Polska S.A. received a €132,000 fine in January 2025 for compromising DPO independence by placing the DPO under the IT security director and failing to document profiling activities.  
  • In Estonia, on January 2025, Asper Biogene OÜ was fined €85,000, including €5,000 specifically for a DPO conflict of interest, after appointing a management board member as DPO, following a 2023 data breach that exposed sensitive data.
  • In Italy, on April 2024, the data protection authority fined a public body €6,000 for appointing a DPO who also held multiple key positions, creating a conflict of interest as his other roles required him to be involved in determining the means of processing. Furthermore, since he held various other positions, it was determined that he did not have sufficient time to dedicate to his role as DPO, violating the GDPR requirement that the DPO be given the necessary resources to fulfill its obligations..

Key Takeaways from Enforcement Trends and Practical Advice

  • Appoint individuals as DPOs who do not hold senior management or operational roles that influence the purposes and means of data processing.
  • Review organizational structure and hierarchies to ensure the DPO reports directly to the CEO or an officer of similar stature and is not subordinate to departments involved in data processing.
  • Make sure the DPO is provided with the time, authority, and resources necessary to fulfill his/her duties effectively and independently. This also means that the DPO should not hold so many roles, even if they are not management roles, such that fulfilling all of his/her duties would hinder the DPO’s ability to fulfill his/her DPO duties.
  • Maintain clear and thorough documentation of the DPO’s independence, including records of the DPO’s role, resources, responsibilities, and reporting structure. . 

As enforcement actions and regulatory expectations continue to evolve, organizations should regularly revisit their DPO arrangements. By prioritizing DPO independence, organizations not only reduce their exposure to regulatory penalties but also strengthen their data protection governance and build greater trust with data subjects and stakeholders.

This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
 
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation

Found this useful? Share with
Want to know more?
Contact us

Shiri Menache

Head of Marketing and Business Development
+972-3-6846021

Matan Bar-Nir

Press Officer, OH! PR
+972-73-2008080
Related Services
Cyber and Data Protection
Related Experts
Miriam Friedmann

Partner
Moshe Lehmann

Associate
Yuval Eliaz

Intern
Yoheved Novogroder Shoshan

Partner