Incompatibilities and conflict of interest between the DPD and the RSII according to the criteria of the AEPD

1. Summary of the decision and infringements of the GDPR found by the AEPD

The resolution of the sanctioning procedure in Case EXP202316729[1] handled by the Spanish Data Protection Agency (AEPD) focuses on two fundamental aspects that are particularly relevant from the perspective of regulatory compliance. On the one hand, the security breach that exposed personal data and, on the other hand, the existence of a conflict of interest in the governance structure of the Provincial Council, derived from the accumulation of functions of the Data Protection Delegate (hereinafter, "DPD"):

• Security breach and infringement of Article 5.1.f) RGPD. The AEPD considers it accredited that the breach originated because the Provincial Council had not previously implemented sufficient technical and organisational controls to prevent improper access to the SPEIS folder. The configuration of permissions allowed workers from different fire stations to access and download documents whose use should have been limited to the administrative and managerial staff of the service. The Agency is of the opinion that with appropriate measures, the breach "would not have occurred", so the lack of preventive measures constitutes a direct breach of Article 5(1)(f) GDPR. Although the Diputación reacted quickly once the incident was detected by blocking access, initiating internal analyses, notifying the AEPD and those affected, these actions were reactive in nature and do not prevent the existence of the breach, as the unauthorised access had already occurred.
• Conflict of interests and infringement of Article 38 RGPD. The most relevant aspect of the decision is the assessment of a conflict of interest in the figure of the Data Protection Officer. The Provincial Council had also designated its DPD as the person in charge of the Internal Information System (RSII), a role that involves managing internal complaints, taking operational decisions on their processing and accessing the personal data processed during the processing of the case, functions that directly affect the purposes and means of the processing and which are incompatible with the independent supervision required by article 38 RGPD. The Agency points out that the Delegate herself warned of the possible incompatibility, which prompted the Provincial Council to formally consult the AEPD. However, the Diputación maintained the dual role until after the start of the procedure, without carrying out a prior risk analysis to ensure that there was no conflict of interest.

2. Conflict of interest between the roles

Having set out the general elements of the resolution, it is worth analysing how the AEPD assesses the independence of the DPD when its functions are related to the Internal Information System (hereinafter, "IIS") provided for in Law 2/2023 , of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

Specifically, the Agency examines how certain operational tasks may impact on the autonomy required by the GDPR and which criteria are relevant to identify potential conflicts of interest under Article 38 of the GDPR.

The key points of the AEPD's legal reasoning for assessing this conflict of interest are as follows:

• Functional, not nominal, scrutiny. The AEPD insists that compatibility must be assessed on the basis of the actual functions, not the formal title of the position. In this case, governing the SII meant making decisions on how information is managed, how data entered into the channel is processed and when it is appropriate to forward it to internal or external bodies. All these decisions have a direct bearing on the purposes and means of processing, a key aspect of the incompatibility analysis according to the Guidelines of the former Article 29 Working Party (WP243) and the doctrine of the Court of Justice of the European Union (Case C-453/21).
• The DPD cannot supervise what it also manages. The GDPR requires the DPD to maintain a neutral and supervisory position, acting as a guarantor of compliance. If, at the same time, he or she is the one who operationally manages a processing operation (such as the internal channel), his or her supervisory power is nullified. The AEPD sums it up clearly: the DPD cannot be both judge and party within the same processing system. This incompatibility is aggravated in the case of a system involving particularly sensitive data and decisions of disciplinary or legal intervention. Likewise, the AEPD brings up the wording of Article 8.4 of Law 2/2023, a precept which establishes the following: "The System Controller must carry out its functions independently and autonomously from the rest of the bodies of the entity or body, may not receive instructions of any kind in their exercise, and must have all the personal and material means necessary to carry them out".
• Lack of guarantees and absence of prior analysis. The Agency recalls that it is the sole responsibility of the organisation, not the DPD, to prove that the additional functions do not generate a conflict of interest. This requires a prior analysis, documented and based on objective criteria. The Provincial Council did not carry out such an analysis, nor did it establish internal safeguards (e.g. rules of abstention, functional limits, separation of access) that would have made it possible to assess and, if necessary, mitigate the risk. This lack of measures is decisive for concluding that Article 38 GDPR was violated.
• Material independence versus formal independence. The AEPD rejects the idea that the independence of the DPO can be guaranteed only with formal elements, such as reporting to the highest hierarchical level or not having a vote in certain committees, if in practice, he or she performs functions that place him or her within the operational circuit that he or she must audit. Independence, the Agency reminds us, is material, practical and verifiable, not declarative.

It is worth mentioning that the AEPD recalls in the aforementioned resolution that "In view of the question raised by the DPD himself on the possible incompatibility, the AEPD was consulted, maintaining the appointment of the DPD until a reply was received. This consultation was resolved on 25 February 2025, concluding that it was not possible to assign the functions of head of the internal information system to the DPD".

In other words, the AEPD had already ruled on this specific case, concluding in a previous consultation that maintaining both roles over the same person generated an incompatibility in the terms established in the applicable regulations.

Finally, it is necessary to mention the references made by both the Provincial Council and the AEPD to report 2018-0170[2] of the latter, which analysed the compatibility between the DPD and the Security Officer within the scope of the National Security Scheme, in which - in summary - it was concluded that, in general, there must be the necessary separation between the Data Protection Officer regulated in the RGPD and the ENS Security Officer, Their functions may not fall to the same person or collegiate body, and may only fall to the same person in the case of organisations of small size and/or scarce resources, adopting the necessary technical and organisational measures to avoid possible conflicts of interest that may arise in the exercise of their respective functions.

3. Conclusion

By way of conclusion, it can be stated that the AEPD resolution offers a clear criterion on the importance of having solid preventive measures and ensuring that the Data Protection Officer maintains real independence in the performance of his or her functions.

The case shows that certain accumulations of roles can generate incompatibilities that are not always evident at first sight, especially when they involve operational or decision-making tasks and that, by carrying out the appropriate prior analysis, as well as adopting suitable measures to guarantee the adequate management of the conflict of interests, it may be feasible to make the functions of one and the other compatible.

The AEPD's interpretation reinforces the need to review the internal compliance architecture and to adequately document the assignment of functions, with the aim of ensuring a governance model that is solid, transparent and aligned with the GDPR. At the same time, the Agency recalls that this type of situation should be assessed through a detailed analysis of the functions and studied on a case-by-case basis, taking into account the particularities of each organisation and the actual scope of the functions performed.

This means that, as a general rule, the figure of the Data Protection Officer cannot be assumed by the Head of the Internal Information System and vice versa, unless the analysis of the lack of means and resources, the possible existing incompatibility and the mechanisms deployed to prevent the assumption of both roles from interfering with their correct functioning are duly accredited and justified.

Finally, it should be made clear that the AEPD does not at any time state the existence of incompatibility between the function of the Compliance Officer and that of the DPD, the Compliance Officer being a completely different figure to the person responsible for the information or complaints channel. Although they are two positions that could occasionally come into conflict, this conflict could be duly managed by adopting the appropriate measures and controls of a material nature, insofar as both functions are exercised in the second line of defence.