Conflicts of Interest in GDPR

15^th November 2025

Summary

The position of Data Protection Officer (DPO) presents a large number of conflicts.

The following roles are excluded for an internal DPO: board member, chief executive officer, chief operating officer, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments and legal counsel (in relation to data protection disputes in court).

External DPOs should be independent and may not be processors, employees/contractors of processors, officers/board members of companies providing anything but DPO services; in particular Article 27 DPR services are excluded, as well as Legal Representative under the Clinical Trial Regulation.

Introduction

The GDPR introduces a number of conflicts of interest in relation to the various roles identified in the regulation, specifically

• Controller, who determines the purpose and means of processing

• Processor, who executes the controllers’ instructions

• Data Protection Representative, who represents a non-EU controller in the EU

• Data Protection Officer, oversees compliance with the regulation in terms of advice, information and analysis

  
  

The Clinical Trial Regulation also introduces an important conflict of interest in relation to the role of Article 74 Legal Representative, which also excluded Data Protection Officers

These conflicts stem from the various activities and accountabilities of each party. Central to this is the role of Data Protection Officer (DPO).

The GDPR does not provide a formal definition for a DPO but the following are pertinent regarding the position:

• may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract

• does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

• may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

  
  

Tasks include

• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions

• to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits

• to provide advice where requested as regards the data protection impact assessment and monitor its performance

• to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

  
  

In-house DPO

The WP29 guidance initially published in 2017 bus since endorsed by the ECPB provides extensive guidance, specifically in relation to conflicts of interest: “the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” In other words, the activities of the DPO must be separate to those of controller per say. Specifically excluded are “senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure”. Clearly officers of the company are conflicted between their fiduciary duty to the company and the role of DPO. Others are excluded because they are involved in processing; in a pharmaceutical company these would includer roles such ad clinical data manager or QPPV. Legal would seem to be a natural fit but the guidance recommends that “conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues”. Given this even in-house council acting as DPO may be prudent to avoid conflicts involving data protection issues, for example by engaging external council.

So what roles are compatible with an in-house DPO? For a pharmaceutical company the most likely roes would be in the quality assurance/compliance area, since this role involves a degree of independence and does not involve the processing of personal data. this question should be considered on a case-by-case basis depending on the configuration of the controller involved.

External DPO By Contract

A simpler solution for many smaller pharmaceutical companies will be to appoint an external DPO by contract, which is allowed under article 37(6): “The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.” This would seem to resolve all conflict-of-interest concerns, notwithstanding the exclusion of activities “before the Courts in cases involving data protection issues,” which would appear to exclude engaging external council. One further consideration is the position of the DPO in relation to their own organisation. For example where an external DPO is operating a corporation, who is also an officer of that corporation, may present an inherent conflict of interest where the interests of the corporations to which the DPO has a fiduciary duty, may conflict with those of the contracted company. For example the external DPO may prefer to avoid problematic issues in order to preserve the contract with the controller.

Clearly in both in-house and external appointments, an assessment of possible conflicts of interest should be made on a case-by-case basis.

Processor Acting as External DPO

The role of processor is fundamentally incompatible with that of controller’s DPO for the same data. This is because the DPO must act independently vis-à-vis the controller, but the processor is required to act on the instructions of the controller only, undermining the DPOs independence. For example, in undertaking a clinical study, a Contract Research Organisation whose role is large scale processing of clinical data on the instructions of the controller, is not the correct organisation to oversee data protection compliance of that processing. According to the EDPB “Similarly, given the possible conflict of obligation and interests in cases of enforcement proceedings, the EDPB does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller, in particular when it comes to compliance with their respective responsibilities and compliance.”

Separate Independent or Joint Controller Acting as External DPO

It would seem that where two sperate independent or joint controllers are processing the same data for different reasons (e.g. a study sponsor and an investigative site), it would make sense to appoint a BPO who may act for both. However in this situation there are other considerations, not least of which is the issue of pseudonymised data, since the sponsor DPO would have access to site data, triggering a potential breach. In the case of an investigator led study, where pseudonymisation is not an issue this may be appropriate.

Data Protection Representative (DPR) acting as External DPO

These roles are fundamentally incompatible because the DPR, typically a legal person, is part of the controller organisation, while the DPO must be independent, and not instructed by the controller. Similarly company providing a DPR service for a non-EU controller, may not provide a DPO who is an employee/contractor of that organisation.  According to the EDPB: “The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union.”

DPO providing Legal Representative services under article 74 of the Clinical Trial Regulation

In this instant the Legal Representative is part of the sponsor/controller organisation, is appointed by them and must act on their instructions, and so lacks the independence required for a DPO.

Breffni Martin

Definitions

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

EDPB: The primary role of the data protection officer (DPO) is to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)