DPD and RSII: are they compatible?

1. AEPD criteria as a starting point

Within the framework of the supervisory and control functions exercised by the Spanish Agency for Data Protection (AEPD), certain sanctioning resolutions provide criteria of particular relevance for the correct application of the General Data Protection Regulation (GDPR) and the national legislation that develops it.

In this context, it is particularly interesting to analyze the decision dated December 20, 2025, regarding case EXP2023167291, which addresses key issues related to the adoption of preventive measures aimed at ensuring an adequate organizational structure that preserves the independence of the Data Protection Officer (DPO) when he assumes, within the same organization, the role of head of the internal information system (RSII). In this decision, the AEPD sanctions a public body for not adequately distinguishing the functions of the same person who acts simultaneously as DPO and as RSII of the organization.

Based on this interpretative criterion, the objective of this information note is to analyze those situations in which it could be possible to simultaneously exercise the functions assigned to both positions without incurring in a conflict of interest, provided that the guarantees and protective measures required by applicable regulations are adopted.

2. Key considerations for assessing compatibility between the DPO and CISO

The AEPD starts from the premise that the regulatory framework clearly distinguishes between the functions of the DPO and those of the CISO, which generally means that both positions should be held by different individuals within the organization. This separation responds to the need to preserve the independence of the Data Protection Office (DPO) and avoid taking on functions that could compromise its supervisory role, especially when these functions involve operational decisions or direct management of personal data processing.

In this regard, it can be inferred from the decision that, in certain very specific organizational contexts, compatibility between the roles of DPO and CISO could be considered, provided that this assignment is preceded by a specific and duly documented analysis. However, in any case, compatibility cannot be presumed and can only be maintained if the absence of conflict of interest and the full guarantee of substantial independence of the DPO are effectively proven.

Taking into account the restrictive approach of the AEPD, the assessment of compatibility must be based on certain key factors that should be analyzed jointly and in their context:

• Available resources and organizational structure: The size of the organization, its degree of internal complexity, and the resources available may influence the distribution of functions. In small organizations or those with organizational limitations, it may be necessary to concentrate certain responsibilities, although this does not exempt the organization from ensuring the functional independence of the DPO or from expressly analyzing the risks of incompatibility.
• Clear and effective delimitation of functions: It is essential to precisely define the functions assigned to each position. In this regard, it is important to highlight that the RSII is not required to draft or approve policies, procedures, or internal rules concerning the system. In accordance with Article 5 of Law 2/2023, the responsibility for the proper implementation of an Internal Information System (IIS) —which includes, among other things, the design and approval of a policy, a communication management procedure, or action protocols— rests with the administrative or governing body of the entity. This distinction is particularly important, as participation in the design or approval of these rules could place a person acting simultaneously as both the DPO and RSII of the organization in a position incompatible with their supervisory role, as established by Article 39 of the GDPR. In this scenario, it is essential that the CISO does not participate in decision-making regarding the design, implementation, or modification of the internal reporting system (IIS), limiting their participation to tasks that do not compromise their independence as DPO, which allows a sufficient autonomy to exercise their consultative and supervisory function regarding data protection. This approach is reinforced by the ruling No. 1355/2026 of March 18 of the National High Court, which strictly interprets the prohibition of conflicts of interest established in Article 38.6 of the GDPR. In this ruling, the National Court concludes that a conflict exists when the person appointed as DPO participates, directly or indirectly, in decision-making regarding the purposes and means of personal data processing, even when this participation arises from the inherent functions of their position and not from a specific or intentional act. In this regard, when the position intended to be combined with the DPO role is defined in a statute, internal regulation, or similar organizational document, it is essential to review in advance the functions assigned to this position to ensure that they do not confer decision-making powers that compromise the independence and objectivity required of the DPO. Otherwise, the mere legal assignment of these functions could place the DPO in a position incompatible with their supervisory role, regardless of how they are exercised in practice.
• Outsourced management of the IIS. Outsourcing the management of the IIS to a specialized third party is an additional factor that can promote compliance by separating daily operations from internal supervisory and advisory functions. This model significantly reduces the risk that the DPO takes on operational or decision-making functions regarding the data processing associated with the IIS and is provided for in Article 6 of Law 2/2023.
• Establishment of the RSII as a collegiate body. The existence of a system manager established as a collegiate body facilitates better segregation of functions and reduces the risks of decision-making concentrating in a single person. In these cases, the internal distribution of responsibilities helps mitigate potential conflicts and clarify the role of the DPO within the system.

These factors must be analyzed in conjunction and on a case-by-case basis, allowing the organization to assess, with a practical approach, whether in a specific organizational context it is possible to reconcile the compatibility of both positions without compromising the independence of the DPO or generating a conflict of interest.

3. Conclusion

The aforementioned ruling highlights the importance of examining the configuration of certain functions within the organization with particular caution, especially when these directly affect the independence of the DPO. Although the regulations establish, as a general rule, the separation between the positions of DPO and CISO, this criterion should not be interpreted automatically or rigidly but in light of the specific circumstances of each organization. To this end, the compatibility of both positions can only be considered in exceptional circumstances and after a prior, specific, and duly documented analysis that allows for the identification and mitigation of potential conflicts of interest. Thus, a clear delimitation of functions, reinforcement of organizational guarantees, and, where appropriate, outsourcing or collegiate configuration of the system, are key elements to ensure a solid compliance model, aligned with the requirements of the GDPR and the interpretative criteria established by the AEPD. In cases where an organization faces this type of situation, it is highly advisable to seek the advice of specialized professionals who can accurately assess the risks and define a tailored solution to the regulatory requirements and the specific circumstances of the organization.

Information note from the Data Protection and Governance and Compliance departments of ECIJA Madrid.