Menu

Filter by
content
PONT Data&Privacy
  • PONT home
    • mill

    0

    Human-AI collaboration
    De samenwerking tussen mens en AI wordt steeds belangrijker. In dit dossier staat de interactie tussen gebruiker en systeem centraal, met aandacht voor vertrouwen, toezicht, AI-geletterdheid en de rolverdeling tussen menselijk oordeel en automatische besluitvorming.

    Autoriteit Persoonsgegevens tackles double-hatted data protection officers

    Because of the AVG (General Data Protection Regulation), organizations are (sometimes) required to appoint a Data Protection Officer (FG) or Data Protection Officer (DPO). This person is independent, monitors and provides advice on the processing of personal data. Often, for practical reasons, this position is combined with another position, such as CISO, legal counsel or a management role. Due to this combination of functions, conflicts of interest may arise. Because the FG cannot always do his work independently by wearing this double hat, the Autoriteit Persoonsgegevens (AP) warns about the risk of conflicts of interest. The AP will therefore begin enforcement in 2025. What this enforcement entails and how BDO can help, we explain below.

    Iwan van Munster

    23 February 2025

    Blog

    Blog
     

    What is the job of an FG?

    Since the introduction of the AVG, many organizations have appointed an FG. In certain cases, this is mandatory, such as in the case of government agencies, when the organization routinely observes individuals on a large scale (for example, schools) or when special personal data are processed on a large scale (such as healthcare institutions or the police). In addition, an organization may voluntarily appoint an FG.
     
    The FG's role is to provide independent oversight within the organization. The organization must actively facilitate this. On the one hand, the FG must inform and advise on the AVG and its compliance. FGs are often "the" privacy point of contact within the organization. On the other hand, they provide advice, cooperate with and are points of contact for the regulator (such as the AP). The AP and the European Data Protection Board (the AVG advisory body at the European level) have previously drafted frameworks on how the function of FG should be shaped.
     

    The practice: an FG with a double hat

    Despite the above frameworks, in practice the AP regularly sees troubling combinations of functions occurring where the FG is not independent. In particular, the AP sees the following two problematic situations:
     
    1. In the other role, the FG (co-determines) the purpose and means of processing personal data. This risk is particularly high when the FG function is combined with a management function that consists of decision-making or co-determination.
    2. The FG processes personal data or performs privacy-related work in another role. This is the case with positions such as Privacy Officer (PO), Chief Information Security Officer (CISO), Compliance Officer or any other position that processes personal data itself.
     
    Combining such a role leads to oversight of one's own work, or in other words, the butcher inspects his own meat.
     

    Expected actions from the AP

    The above situations are undesirable according to the AP and it will continue to enforce this in 2025. Announced actions include a publication explaining this issue and insisting that the European Data Protection Board name conflicts of interest in the new guidelines. Beyond these "paper" actions, the AP will act on potential conflicts of interest. FGs can expect written questions where they must explain the independence of their position. The organization itself may also be invited to a so-called standards-setting meeting, in which the AP explains standards for the FG's role and position. Does the controller then take no action to resolve the conflict of interest? Then the AP can impose administrative sanctions, such as imposing a fine or conducting an investigation and publishing them by name.
     

    Beware of conflicts of interest

    Organizations with an FG position would be wise to scrutinize it. Do you suspect a conflict of interest? Separate the functions or enlist the help of an external and/or interim FG. This will ensure independence as best as possible. Do you need more information? Our privacy specialists will be happy to help you. You can contact them via the contact form on our website.
     
    1 Positioning of the FG.
    2 European Data Protection Board (EDPB) guidelines.
    BDO

    Share article

    Comments

    MORE REACTIONS

    Leave a comment

    You must be logged in to post a comment.

    NEWS

    a computer generated image of a human brain

    Nederlandse verzekeringssector omarmt AI

    News/press release

    AP onderschrijft internationale oproep tegen misbruik van AI-gegenereerde beelden

    News/press release

    Zorg over onbetrouwbare AI-stemhulpen raadsverkiezingen

    News/press release

    AI onder de loep: De dunne lijn tussen innovatie en verboden praktijken

    Blog

    In april 2021 presenteerde de Europese Commissie het wetsvoorstel voor de AI-verordening. De noodzaak van deze regelgeving werd duidelijk door de snelle technologische ontwikkelingen...

    AP warns of major security risks with AI agents such as OpenClaw

    Autoriteit Persoonsgegevens
    Autoriteit Persoonsgegevens

    AP: Without clear values, generative AI risks becoming the Wild West

    News/press release

    EDPB and EDPS warn: simplification of AI rules must not come at the expense of fundamental rights

    News/press release

    Business world gets stuck in 'pilot trap' due to lack of AI activation

    News/press release

    EU takes step towards 'AI gigafactories'

    News/press release
    Council of the European Union

    Introduction to AI for public professionals

    Are you already meeting the legal requirements of the AI Act? As of Feb. 1, 2025, the European AI Act requires organizations to adequately train their staff in AI literacy. This means that depending on their role, staff must have specific knowledge about the operation and impact of AI systems, with a focus on ethics, transparency and risk management. Training should be tailored to the level of technical experience and specific use of AI within the organization so that staff can apply AI systems responsibly. In addition, the effects of AI use on internal and external stakeholders must be considered. Are you already compliant with these requirements? In this course, you will receive a thorough and accessible introduction to the world of artificial intelligence to ensure your AI literacy.

    Learn more

    Learn more
    -->

    Prompts with policy: AI use within ethical frameworks

    AI is playing an increasing role in the work of privacy professionals. From drafting texts and analyzing documents to gaining new insights - AI tools like ChatGPT and CoPilot can take a lot of work off your hands. But ... only if you know how to use them smartly and safely. The quality of output hinges on one thing: the question you ask. Want to use ChatGPT smarter and more effectively in your daily work? Learn how to use the right prompts to win time, get better results and avoid mistakes.

    Learn more

    Expert membership

    Expert membership

    Benefit now

    AI in practice: the legal aspects

    In deze cursus krijg je van een een gespecialiseerd Data Scientist (Dr. ir. Linda Terlouw) inzicht in Artificial Intelligence. Mede aan de hand van voorbeelden uit de praktijk bespreekt de docent de juridische achtergronden en valkuilen. Je gaat met een praktijkcasus aan de slag om de kennis meteen toe te passen.

    Learn more

    Cursus: Inzage- en verwijderverzoeken

    Individuals are increasingly invoking their privacy rights. For example, they ask for a copy of their data or, on the contrary, demand that the organization erase all their data. This raises complex questions. It is a challenge for many organizations: how can they fulfill all these requests efficiently but also properly? On the one hand, privacy compliance is important; on the other hand, you do not want to disadvantage your own position of proof in any future proceedings. A tricky matter with many pitfalls. This course gives you the tools to handle privacy requests efficiently and compliantly. The instructor uses many practical examples and concrete cases are worked out together so that your practical questions are directly addressed.

    Learn more

    Join PONT | Data & Privacy

  • Access to Knowledge Base
  • Read e-books
  • Contact with peers
  • Own news overview
    • BECOME A MEMBER

    General

    Service

    Navigate

    Berghauser Pont Media Group

    CONTACT

    𝕏

    Copyright 2026 Berghauser Pont | Website created by Buro Zero