Independent… So what?
It's impossible not to begin my discussion of the topic I'm interested in by recalling the definition of the word "independent." For this purpose, it's best to consult the PWN Dictionary of the Polish Language. Therefore, "independent" means "not subordinated to someone or something, self-determining; also: demonstrating a lack of subordination to someone or something" [1] .
Now let's take a look at the GDPR. First, a fragment of Recital 97, which states that "Data Protection Officers, whether or not they are employees of the controller, should be able to perform their duties and tasks independently."
Independence attributes in the GDPR
Here, Article 38 of the GDPR comes to our aid, as it states that both the data controller and the data processor must:
ensure that the data protection officer does not america phone number list receive instructions regarding the performance of (his) tasks,
not dismiss or punish the DPO for fulfilling his/her duties,
ensure the direct reporting of the DPO to the highest management of the controller or processor,
provide the resources necessary to perform the DPO’s tasks and access to personal data and processing operations, as well as the resources necessary to maintain the DPO’s expertise,
in the event of assigning other tasks and imposing additional responsibilities on the DPO – ensure that such tasks and responsibilities do not result in a conflict of interest,
Furthermore, the DPO is obliged to maintain secrecy or confidentiality in the performance of his/her tasks – in accordance with EU or Member State law, which, in my opinion, also falls within the scope of the independence of the data protection officer.
The Case of Toyota Bank
In January 2025, the PUODO decision regarding Toyota Bank came to light [2] . This is very interesting material to analyze specifically from the perspective of an independent DPO, because one of the two threads raised in this decision concerned the DPO.
During the investigation conducted by the President of the Personal Data Protection Office (UODO), it was discovered that the Data Protection Officer appointed at Toyota Bank did not report directly to the Bank's top management (i.e., its management board). Furthermore, the DPO simultaneously worked as an IT auditor/security specialist in the security team and then in the security department, reporting directly to the department's director. The UODO further indicated that this director's responsibilities also included managing data processing processes.
There's no need for an in-depth analysis of GDPR regulations, especially the previously cited Article 38, to see that these regulations were violated in the above case. Interestingly, Toyota Bank argued to the Data Protection Office that the DPO's position in the security department "has only an administrative dimension (e.g., approving leave and determining financial conditions)," while the DPO himself was completely independent in his duties (as DPO).
Apparently, the above argument did not convince PUODO, because Toyota Bank was fined, among other things, for the improper location of the IOD.
The case of Toyota Bank seems quite obvious to me and – if I can afford such a comment – PUODO, in my opinion, made the right decision.
DPO with power of attorney – is this possible?
For a really long time, the issue of performing certain activities by the DPO on the basis of a power of attorney (specifically, reporting the appointment of the DPO and reporting violations) was not questioned at all by the supervisory authority.
The first letters from the Personal Data Protection Office (UODO) that addressed this issue began to appear in 2024. Let's see what the UODO indicated in this type of correspondence:
"Granting the data protection officer the power of attorney to act on behalf of the controller (represent the controller) before the supervisory authority in matters concerning personal data protection conflicts with the requirement not to impose on the DPO tasks that would result in a conflict of interest. The DPO's task is to inform the controller of their obligations under the GDPR, to advise them in this regard, and to monitor the performance of these obligations (Article 39(1)(a) and (b) of the GDPR). Acting as the controller's representative in relation to the obligations imposed on the controller may significantly hinder or prevent the DPO from independently assessing whether the controller's obligations are being performed and whether they are being performed correctly.