Scientific Panel Independence
A specific topic is needed to address the independence and impartiality requirements that are critical for scientific panels to maintain credibility and objectivity in their advisory role.
panel independence expert impartiality conflict of interest independence safeguards impartiality procedures expert neutrality independence verification conflict management
Overview
Legal Framework
While no single article directly governs "scientific panel independence," foundational principles are established in the AI Act (Recital 126) and the Digital Services Act (Recital 59). These recitals set core requirements for the independence of bodies performing critical advisory or assessment functions. The AI Act mandates that notified conformity assessment bodies must operate with independence, competence, and an absence of conflicts of interest. Similarly, the DSA requires that certified out-of-court dispute settlement bodies possess the necessary independence and expertise to perform their activities fairly.
Practical Application
These recitals reflect a broader legal principle that expert panels must be free from undue influence to ensure objective, credible advice. Although no specific case law interpreting these recitals for scientific panels is cited, the requirement is applied by analogy. In practice, this means the composition and operation of a scientific panel must be structured to prevent conflicts, whether financial, institutional, or personal. Organizations must implement documented procedures to ensure panel members are selected based on expertise alone and are shielded from pressure that could compromise their scientific judgment. Transparency regarding selection criteria and potential conflicts is a key enforcement expectation.
Key Considerations
- Implement Robust Conflict Policies: Establish and enforce clear declarations of interest for all panel members, with procedures to manage, mitigate, or exclude participation in cases of conflict.
- Validate Expertise & Autonomy: Document the process for selecting members based solely on relevant scientific merit and ensure the panel has operational autonomy in reaching its conclusions.
- Ensure Procedural Transparency: Maintain transparency in the panel's selection, composition, and working methods to bolster the credibility of its independent findings.
Laws (3)
Case Law (4)
ECLI:NL:RBROT:2026:1019 Rechtbank Rotterdam , 06-02-2026 / ROT 26/14
Rechtbank Rotterdam
Varia. Woo-verzoek. De voorzieningenrechter is niet gebleken dat er sprake is van zodanige zwaarwegende belangen, ook niet zijdens de Woo-verzoekster, dat niet gewacht zou kunnen worden met openbaarmaking van de stukken totdat op het bezwaar van verzoeksters is beslist. Verzoek toegewezen, bob geschorst.
XH v European Commission
CJEU
Gaat om een beroep van T-613/21. In beroep wordt gesteld dat het Gerecht de professionele context als reden zag om de gegevens niet als persoonsgegevens te zien, maar dit is niet juist volgens het HvJ EU. Het feit dat het hier om informatie verwerkt in een werkgerelateerde context is niet een doo...
Procesrecht. Exhibitievordering in niet-IE-zaak (art. 843a (oud) Rv). Rechtmatig belang bij inzage. Voldoende bepaald...
Hoge Raad
Procesrecht. Exhibitievordering in niet-IE-zaak (art. 843a (oud) Rv). Rechtmatig belang bij inzage. Voldoende bepaald zijn van bescheiden waarin inzage wordt gevorderd. Begrip rechtsbetrekking. Afgifte bemiddelingsdossier door advocaat. Aanvullen rechtsgronden (art. 25 Rv). Opheffing en verval van bewijsbeslag. Eis in hoofdzaak als bedoeld in art. 704 lid 2 Rv.
Proportionaliteitstoets registratie IR en EVR zorgt voor verwijdering na anderhalf jaar.
Gerechtshof
Kort Geding. Niet opgeven nevenfuncties door compliance medewerker bank. Registratie in IR en EVR voor pre-employment screening gegrond. Geen verwerking van strafrechtelijke persoonsgegevens. Voldaan aan vereisten PIFI behalve ten aanzien van proportionaliteitseis. Duur registratie ingekort.
Guidance (9)
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)
guidelines territoriaal toepassingsgebied AVG
Guidelines 04/2021 on Codes of Conduct as tools for transfers
Guidelines on codes of conduct and monitoring bodies
The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Version history
Guidelines on the accreditation of certification bodies
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
Versiegeschiedenis
guidelines accreditatie
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Enforcement (11)
Company: Insufficient legal basis for data processing
€40,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) has imposed a fine of EUR 40,000 on a company that published personal data of sole traders on its website. The data originated from public sources and from the financial agency FINA. Although publicly accessible, the authority found that there was no valid legal basis for the publication. Furthermore, the company did not inform the data subjects about the processing of their data and did not properly document its processing activities. Another point of concern was that th
Bedrijf: Onvoldoende juridische basis voor de verwerking van gegevens.
Een boete van 40.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).
De Kroatische gegevensbeschermingsautoriteit (AZOP) heeft een bedrijf een boete van 40.000 euro opgelegd omdat het persoonlijke gegevens van zelfstandigen op zijn website heeft gepubliceerd. De gegevens waren afkomstig van openbare bronnen en van het financiële agentschap FINA. Hoewel de gegevens openbaar toegankelijk waren, oordeelde de autoriteit dat er geen geldige juridische basis was voor de publicatie. Bovendien heeft het bedrijf de betrokkenen niet geïnformeerd over de verwerking van hun gegevens en heeft het zijn verwerkingsactiviteiten niet correct gedocumenteerd. Een ander punt van zorg was dat...
Asper Biogene OÜ: Insufficient technical and organisational measures to ensure information security
Estonian Data Protection Authority (AKI)
The Estonian DPA imposed a fine of EUR 85,000 on Asper Biogene OÜ. Asper Biogene OÜ suffered a data leak due to a lack of adequate security measures. The leak affected approximately 100,000 files containing personal, health and genetic data. Asper Biogene OÜ also appointed a member of the board of directors as DPO, resulting in a conflict of interest. A fine of EUR 80,000 was imposed for the inadequate security measures. The unlawful appointment of the DPO was fined EUR 5,000. ---UPDATE--- The T
Company: Lack of appointment of data protection officer
€5,000 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine on a company. The controller appointed a DPO who had a conflict of interest, meaning the person was not suitable for the role.
Hotel: Insufficient legal basis for data processing
€15,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) has imposed of fine of EUR 15,000 to a hotel. The hotel was collecting personal data from guests in excess of what would have been necessary for the purpose of booking a hotel room and without a valid legal basis. Specifically, the hotel collected the CVC number of guests' credit cards and copies of their identification documents. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. The hotel claimed it coll
Conservatorio di Musica S. Cecilia di Roma: Insufficient legal basis for data processing
€6,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 6,000 on 'Conservatorio di Musica S. Cecilia di Roma'. A student of the educational institution had filed a complaint with the DPA for having received a disciplinary sanction for a statement made during a student assembly. Although it was not supposed to be, the assembly was recorded and the institution used the recordings to base the disciplinary action on it. During its investigation, the DPA determined that the controller did not have a valid legal ba
Company: Insufficient involvement of data protection officer
€525,000 fine - Data Protection Authority of Berlin
The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group. The company had appointed a data protection officer, who however was also the managing director of two service companies that processed personal data on behalf of the very same company for which they acted as data protection officer. These service companies are also part of the group to which the e-commerce company belongs. The DPA considered this to be a conflict of interest and found a vio
Policoro municipality: Non-compliance with general data processing principles
€26,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 26,000 on Policoro municipality. The municipality had installed a video surveillance system without, however, providing sufficient information about the surveillance. In addition, the DPA found that the municipality had not established a retention period for the video surveillance recordings and kept them for an excessive period of time. In addition, the DPA found that the municipality had not fulfilled its obligations in appointing a data protection off
Bank: Insufficient involvement of data protection officer
€75,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 75,000 on a bank. The DPA identified a conflict of interest regarding the data protection officer. In addition to his work as data protection officer, he was also head of a department to which he had to report in his capacity as data protection officer. The DPA considered this to be a violation of Art. 38 (6) GDPR.
Clinic: Insufficient involvement of data protection officer
Data Protection Authority of Berlin
The DPA from Berlin has imposed a fine on a clinic. The clinic had appointed the clinic manager, who was also a shareholder of the clinic, as the data protection officer. A data protection officer may perform other tasks and duties, but the company must ensure that other tasks and duties do not lead to a conflict of interest. In the present case, however, there was such a conflict of interest. On the one hand, the clinic manager had to make economic decisions in his executive position, and on th
Proximus SA: Insufficient involvement of data protection officer
€50,000 fine - Belgian Data Protection Authority (APD)
According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.
News (11)
UODO (Poland) - DKN.5131.4.2025
English Summary }}}} The DPA fined the Polish national postal operator €232k for a DPO conflict of interest. The DPO concurrently served as a Security Director and company proxy, effectively monitoring their own decisions regarding the means of data processing.The DPA fined the national postal operator €232,000 for appointing a DPO with a conflict of interest. The DPO concurrently served as a Security Director and representative of the controller, effectively monitoring their own decisions regar
Kunnen organisaties efficiëntieverbeteringen realiseren door de functies van Data Protection Officer (DPO) en klokkenluider te combineren?
Na de invoering van de EU-richtlijn inzake klokkenluiders in 2021, kregen de functionarissen voor gegevensbescherming van bedrijven de taak om veilige meldingskanalen op te zetten. Aangezien deze systemen voor gegevensbescherming en het melden van misstanden door dezelfde afdeling worden beheerd, is het dan verstandig voor bedrijven om de functies van gegevensbeschermingsfunctionaris en klokkenluidersfunctionaris te combineren? František Nonnemann, compliance- en operationeel risicobegeleider bij PBK Technology, en gecertificeerd privacyprofessional (CIPP/E), legt de overeenkomsten uit tussen gegevensbeschermingsfunctionarissen en klokkenluidersfunctionarissen.
Can the roles of DPO and whistleblowing officer be merged?
> Personal data protection and whistleblowing are two different topics — different regulations with different purposes, scope and requirements. But, in fact, they are closer than they seem, especially for practical reasons. Both data protection governance and whistleblowing systems are often exercised by the same unit — the compliance department — or even by the same person. This solution offers several advantages, but also some problematic points that need to be highligh
De IJslandse toezichthouder heeft geoordeeld dat er sprake is van een belangenconflict wanneer een Functionaris Gegevensbescherming (FG) tegelijkertijd ook de hoofdjurist van een bedrijf is.
De IJslandse Autoriteit Persoonsgegevens (SA) heeft vastgesteld dat er sprake is van een belangenconflict wanneer een Functionaris Gegevensbescherming (FG) tegelijkertijd ook de senior jurist, plaatsvervangend CEO of bestuurslid van een bedrijf is. Een FG kan echter wel de functie van compliance officer bekleden.
The Icelandic SA held that a there is a conflict of interest when a DPO is simultaneously also a company's senior lawyer
> The Icelandic DPA (SA) held that a there is a conflict of interest when a DPO is simultaneously also a company's senior lawyer, deputy CEO or board member. However, a DPO can hold the position of compliance officer.
The Italian SA acted against a municipality due to the use of its video surveillance system and by appointing its DPO to defend it in court proceedings
> Lastly, the DPA held that the controller, by entrusting its DPO with its defence in court proceedings, placed the DPO in a position of conflict of interest in violation of Article 38(6) GDPR. This was especially because it led to the data subject feeling unable to contact the DPO with regard to issues related to processing of their personal data and to the exercise of their rights under Article 38(4) GDPR.
Het Italiaanse bedrijf SA heeft juridische stappen ondernomen tegen een gemeente vanwege het gebruik van haar videosurveillance systeem en omdat het haar Functionaris Gegevensbescherming (FG) heeft aangesteld om de gemeente in een rechtszaak te vertegenwoordigen.
Tenslotte oordeelde de gegevensbeschermingsautoriteit dat de verantwoordelijke, door de functionaris gegevensbescherming (FG) te betrekken bij de verdediging in rechtszaken, de FG in een positie van belangenconflict bracht, in strijd met artikel 38(6) van de AVG. Dit was met name omdat dit ertoe leidde dat de betrokkene het gevoel had niet in staat te zijn om contact op te nemen met de FG met betrekking tot kwesties die verband houden met de verwerking van hun persoonlijke gegevens en de uitoefening van hun rechten zoals uiteengezet in artikel 38(4) van de AVG.
Berlin DPA imposes 525K euro fine over DPO violation
> The Berlin Commissioner for Data Protection and Freedom of Information issued a 525,000 euro fine to a Berlin-based retailer for violation of data protection officer requirements under the \[GDPR]. An investigation found an alleged conflict of interest concerning the DPO's employment status and decision-making responsibilities that violated Article 38(6) of the GDPR. The company received a warning from the regulator in 2021.
Berlijn, DPA: Boete van 525.000 euro opgelegd vanwege schending van de DPO-regels.
De Berlijnse Commissaris voor Gegevensbescherming en Vrijheid van Informatie heeft een boete van 525.000 euro opgelegd aan een detailhandelaar gevestigd in Berlijn wegens schending van de eisen met betrekking tot de functionaris gegevensbescherming (FG) zoals vastgelegd in de [AVG]. Een onderzoek wees op een vermeend belangenconflict met betrekking tot de arbeidsstatus en de beslissingsbevoegdheden van de FG, wat in strijd is met artikel 38(6) van de AVG. Het bedrijf ontving in 2021 een waarschuwing van de toezichthouder.
EU-Hof: gegevens waaruit indirect de seksuele geaardheid van een persoon kan worden afgeleid vormen gevoelige gegevens in de zin van de AVG
The processing of personal data that may indirectly reveal sensitive information about an individual, such as information about their sexual orientation, may qualify as processing of "special categories of personal data" within the meaning of the AVG. The processing of such sensitive data is prohibited in principle. This is the EU Court's answer to questions from a Lithuanian judge.
Data Protection Officer or Chief Privacy Officer?The rise of the Data Protection Officer
> Do we need an Chief Privacy Officer, a Data Protection Officer, or do we need both?In the following article, I will examine the benefits of both roles, but I will also look at some of the challenges related to each of the roles and why these have impelled both Data Protection Officers and organisations to question what the ideal setup is for them.