[ThePhysicist]

I don't think it's a big assumption as the law as well as the guidelines clearly state that point (from "Guidelines on Data Protection Officers" [1] by WP29, pages 16 ff.):

> The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.

> As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.

In summary, if you have power to decide how or for what purposes the processing of the data is to be carried out you're probably not allowed to serve as DPO. Of course in the end it's the company's decision who to give that role to, but not following the guidelines increases the chance of non-compliance.

1: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_...