Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Slovenia’s ICO defines DPO’s additional tasks that could result in a conflict of interests


Paragraph 6, Article 38 of the General Data Protection Regulation (GDPR) allows the Data Protection Officer (DPO) to fulfil other tasks and duties (beside serving as the DPO) for the controller or processor, provided however, that fulfilling such additional assignments doesn’t amount to a conflict of interest.

The Article 29 Working Party Guidelines on Data Protection Officers (‘DPOs’) further explain that the DPO should not “hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data”. A list of typically or presumably conflicting positions within the organisation is also included in the Guidelines (page 16).

On November 9, 2018, the Slovenia’s Information Commissioner (Informacijski pooblaščenec) published on their website the Recommendations regarding the operations of the DPO, which include a list of tasks that, if performed by the DPO, would typically result in a conflict of interest and should therefore be avoided by the DPO. These include:

  • deciding upon the rights and obligations of an individual;
  • deciding on setting-up new filing systems, defining purposes and scope of processing;
  • deciding on organizational and technical measures for the security of the personal data;
  • deciding on engaging the processors and drafting of contracts between the organisation and the processors;
  • deciding on the transfer of personal data to third countries or international organisations;
  • carrying out of a data protection impact assessment (DPIA);
  • setting-up or updating a record of processing activities;
  • other tasks that include decision-making related to personal data where the DPO would find her/himself in a situation when she or he would have to scrutinise their own decisions.

In our view, the abovementioned examples support the often-overlooked fact that the DPO is not, and should not be, a (top) personal data operative, but rather a high-profile expert who should be spared from any day-to-day (processing) operations involving personal data.


Article provided by: Matija Jamnik (JK Group, Slovenia)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.