Updated juni 30, 2026
Summary: GDPR Articles 37–39 demand a structurally independent DPO with adequate resources, and the EDPB CEF 2024 enforcement action shows most organisations still fail on both counts. Sovereign infrastructure, including on-premises SIEM, immutable logs and Swiss FADP-compliant hosting, transforms the DPO's evidentiary position from reactive to audit-ready.

The Data Protection Officer, as defined under GDPR Articles 37 through 39, is not a compliance formality. The DPO is a structurally independent function whose legal position, resource base and freedom from conflict of interest determine whether an organisation can demonstrate accountability under Article 5(2) GDPR, not merely claim it. The infrastructure an organisation chooses to run its processing activities on directly shapes whether the DPO can ever fulfil that mandate in practice.

What EDPB CEF 2024 Revealed About DPO Structural Failures

The EDPB’s 2024 Coordinated Enforcement Action, focused specifically on DPO designation and position, identified two recurring failure modes that supervisory authorities across EU member states encountered most often: insufficient resources allocated to the DPO function, and structural conflicts of interest arising from dual roles. These are not edge cases. They reflect a systemic gap between how organisations designate a DPO on paper and how the function operates in practice.

Resource adequacy under Article 38(2) requires that the controller and processor give the DPO access to personal data and processing operations, and maintain the DPO’s expert knowledge through ongoing support. In organisations running heavily outsourced IT environments, including hyperscaler cloud services subject to US CLOUD Act or FISA 702 jurisdiction, the DPO often cannot independently access processing records at all. They depend on what the cloud provider chooses to surface through a dashboard. This is not access to processing operations in any meaningful regulatory sense.

Key finding: The EDPB CEF 2024 DPO Report identified resource adequacy as one of the two most frequently cited structural failures across participating supervisory authorities, a finding that points directly to the evidentiary limitations of cloud-dependent processing environments.

Sovereign infrastructure, meaning on-premises or jurisdiction-controlled hosting with locally operated audit logging and a SIEM that the organisation fully controls, changes this picture. When the DPO has direct, authenticated access to immutable logs and processing records that no foreign government can compel a provider to hand over unilaterally, the resource-adequacy requirement becomes demonstrably satisfiable. The logs are the evidence, and the DPO holds the key to them.

Documenting the DPO Mandate Across Hybrid Environments

Organisations operating both sovereign on-premises infrastructure and residual legacy cloud services face a specific documentation challenge that the EDPB’s 2024–2027 Strategy signals will receive increasing scrutiny.

The Article 30 record of processing activities must reflect the actual legal and jurisdictional reality of each processing activity. This means each entry should specify whether processing occurs on sovereign infrastructure, identifying the physical location and the applicable national law, or on a legacy cloud service, naming the provider, their country of establishment and any exposure to extraterritorial law. A US-headquartered provider offering EU-region servers does not remove CLOUD Act exposure; that exposure follows corporate structure, not server location.

“Migration timeline required, interim DPIA”

Processing environment Article 30 documentation requirement DPO evidentiary access Foreign-law exposure
Sovereign on-premises (EU or Swiss jurisdiction) Server location, applicable national law, access controls Direct, jurisdiction-controlled immutable logs None, subject to local legal process only
Swiss FADP-compliant hosting Swiss legal basis, FADP Article 10 advisor designation if applicable Contractually guaranteed, FADP-governed None for Swiss-incorporated providers
US-headquartered hyperscaler (EU region) Provider name, CLOUD Act exposure, SCCs or TIA Provider-mediated, subject to US legal orders CLOUD Act, FISA 702, potential compelled disclosure
Residual legacy SaaS (mixed jurisdiction) Limited to provider-supplied exports Depends on provider’s country of incorporation

The DPO’s formal mandate document should specify their right of access to each category of processing environment, including authentication credentials or read-only access to SIEM dashboards for sovereign systems, and a documented escalation path for requesting equivalent access from legacy cloud providers. Absent this, the mandate is a statement of intent, not a functional instrument.

Conflict of Interest Under Article 38(6): The CISO Problem

GDPR Article 38(6) permits a DPO to fulfil other tasks and duties, but requires that the controller ensure no conflict of interest arises. The Article 29 Working Party’s Guidelines on DPOs (WP243), adopted by the EDPB, are explicit: “Organisations must ensure that the DPO does not find themselves in a situation in which it is necessary to decide whether to prioritise a company interest over data protection.”

In a sovereign infrastructure organisation, the CISO or IT director typically decides the architecture of the logging systems, the access control policies, the incident response playbooks and the vendor selection for on-premises tooling. Each of those decisions is simultaneously a data protection decision and a technical operations decision. A person who made those decisions cannot independently audit or advise on them. Designating the same individual as DPO creates a structural conflict that no procedural safeguard can reliably resolve.

Practical boundary: The DPO may be briefed on infrastructure decisions and consulted before those decisions are made, as required by Article 38(1), but they must not hold line responsibility for the outcome. A separate reporting line directly to the board or executive leadership, bypassing the IT hierarchy, is not optional under Article 38(3).

The EDPB CEF 2024 findings reinforce this. Conflict of interest was the second most commonly cited structural failure. In regulated sectors, finance under DORA, healthcare under NIS-2, and public bodies under GDPR Article 37(1)(a), the risk is compounded because the DPO’s independence is also subject to sectoral supervisory review, not just data protection authority inspection.

Sovereign Infrastructure as Primary Evidence for Regulators

One of the least-discussed operational advantages of sovereign infrastructure for a DPO is evidentiary. When a supervisory authority opens an investigation or requests documentation under Article 58(1) GDPR, the DPO’s response time and the quality of evidence they can produce depend entirely on what records exist and who controls them.

An on-premises SIEM with immutable, cryptographically signed audit logs can produce a complete, tamper-evident record of every access event, data export, permission change and processing operation within minutes. That record is held in the organisation’s jurisdiction, subject only to the applicable national law, and the DPO has authenticated access without needing to file a request with a cloud provider’s legal team in another country.

The IBM Cost of a Data Breach Report 2023 found that the average cost of a data breach reached $4.45 million globally, a figure that includes regulatory penalties, notification costs and reputational damage. Organisations that can demonstrate rapid, evidence-backed containment and accountability systematically reduce their exposure in regulatory proceedings.

For internal audits, the same infrastructure enables the DPO to run processing records against Article 30 entries in real time, identifying discrepancies between declared and actual data flows before they become regulatory findings. This shifts the DPO’s function from reactive reporting to continuous compliance validation.

The DPO’s Role in Sovereign Procurement Decisions

GDPR Article 38(1) requires that the controller and processor involve the DPO “in a timely manner in all issues which relate to the protection of personal data.” Article 39(1)(c) gives the DPO an advisory role on data protection impact assessments. These provisions have direct procurement implications that are frequently underestimated.

When a CISO evaluates a sovereign cloud alternative, whether a Nextcloud-based workspace replacing Microsoft 365, or a private AI deployment replacing a public API service, the DPO must be involved before the procurement decision is made, not after. The DPIA for a new processing environment must be signed off by the DPO as part of the procurement record, and the Article 30 entry for the new environment must be created or updated before the system goes live.

Cumulative GDPR fines exceeded €2.1 billion by the end of 2023 according to DLA Piper’s GDPR Fines and Data Breach Survey 2024, a number that reflects the cost of after-the-fact compliance remediation. Involving the DPO at the procurement stage, with a documented DPIA and an Article 30 update as procurement gate criteria, is the structural mechanism that prevents that cost.

Swiss FADP Article 10 and the Dual-Role Structure

The revised Swiss Federal Act on Data Protection, in force since September 2023, introduced the voluntary data protection advisor role under Article 10. The structure differs from GDPR Article 37 in three material ways: designation is voluntary for most private organisations, the independence requirements are less prescriptive, and the primary incentive is procedural, a designated advisor can reduce the Federal Data Protection and Information Commissioner’s power to initiate certain advisory proceedings against the organisation.

For organisations hosting data under both the GDPR and the Swiss FADP, typically those providing services to both EU and Swiss data subjects, a dual-role structure is necessary. The GDPR-compliant DPO covers EU-resident data subjects and must meet the full requirements of Articles 37 through 39, including mandatory designation where applicable, structural independence, and direct board reporting. The FADP Article 10 advisor covers Swiss-resident data subjects and operates under the Swiss framework’s lighter-touch requirements.

The allocation of responsibilities between the two roles must be documented, specifying which data subjects each role covers, how conflicts or overlapping incidents are handled, and which supervisory authority each role’s holder engages with. Where one individual holds both roles, the documentation must make the jurisdictional split explicit so that neither role’s requirements are diluted by the other’s.

The EDPB’s 2024–2027 Strategy identifies consistent enforcement of DPO structural requirements as a multi-year priority, meaning that the gap between formal designation and functional independence is exactly what supervisory authorities will probe. Swiss FADP hosting under a properly incorporated Swiss provider removes foreign-law exposure entirely for Swiss-resident data, but it does not substitute for GDPR compliance where EU data subjects are involved. The two frameworks must run in parallel, not be conflated.

FAQ

Can a CISO also serve as DPO in an organisation that operates its own sovereign infrastructure?

Under GDPR Article 38(6), a DPO may hold other tasks and duties, but the controller must ensure those tasks do not result in a conflict of interest. A CISO who procures, configures or operates infrastructure has a direct interest in the outcome of oversight decisions about that same infrastructure. In a sovereign infrastructure organisation, where the IT director controls logging systems and access management, the same person cannot independently audit or advise on those controls as DPO. Role separation with a direct reporting line for the DPO to the highest management level is mandatory.

How does sovereign infrastructure improve a DPO’s evidentiary position during a supervisory authority investigation?

When processing occurs on sovereign, on-premises infrastructure with immutable audit logs and a jurisdiction-controlled SIEM, the DPO can produce tamper-evident records showing who accessed what data, when and under what authorisation, without relying on a third-party cloud provider or facing delays caused by foreign legal process. This transforms the DPO from a coordinator of evidence requests into the primary custodian of audit-ready records, directly satisfying GDPR Articles 5(2) and 30.

What does Swiss FADP Article 10 require, and how does it differ from GDPR Article 37?

The revised Swiss FADP allows private-sector organisations to voluntarily designate a data protection advisor under Article 10, which can limit the Federal Data Protection and Information Commissioner’s power to initiate certain proceedings. Unlike GDPR Article 37, designation is not mandatory for most Swiss private organisations, the advisor need not be a formal DPO, and independence requirements are less prescriptive. Organisations under both frameworks need a dual-role structure: a GDPR-compliant DPO for EU-resident data subjects and a FADP Article 10 advisor for Swiss-resident data subjects, with a documented allocation of responsibilities between them.

How should an Article 30 record of processing activities be structured when an organisation uses both sovereign on-premises systems and residual legacy cloud services?

Each processing activity entry must identify whether processing occurs on sovereign infrastructure (with the specific server location and jurisdiction noted), or on a residual legacy cloud service (naming the provider, their country of establishment and any applicable foreign law exposure such as the US CLOUD Act). The DPO should flag legacy cloud entries as requiring either a time-bound migration plan or a supplementary transfer impact assessment, keeping the record a living document rather than a static inventory.

What must be documented to prove DPO independence to a supervisory authority under the EDPB 2024–2027 Strategy?

Documentation should include the formal designation decision defining the DPO’s scope, an organisational chart showing the direct reporting line to the highest management level, a written policy prohibiting instructions to the DPO on the exercise of their tasks, evidence of budget and staff resources allocated to the DPO function, and records of DPO involvement in procurement decisions including signed-off DPIAs. Where sovereign infrastructure is in use, documented access rights for the DPO to infrastructure logs and SIEM systems should also be included.

Frequently asked questions

Can a CISO also serve as DPO in an organisation that operates its own sovereign infrastructure?
Under GDPR Article 38(6), a DPO may hold other tasks and duties, but the controller must ensure those tasks do not result in a conflict of interest. A CISO who procures, configures or operates infrastructure has a direct interest in the outcome of oversight decisions about that same infrastructure. In a sovereign infrastructure organisation, where the IT director controls logging systems, access management and security controls, the same person cannot independently audit or advise on those controls as DPO. Role separation with a clear reporting line for the DPO directly to the highest management level is mandatory.
How does sovereign infrastructure improve a DPO's evidentiary position during a supervisory authority investigation?
When processing occurs on sovereign, on-premises infrastructure with immutable audit logs and a jurisdiction-controlled SIEM, the DPO can produce tamper-evident records showing who accessed what data, when and under what authorisation, without relying on a third-party cloud provider's cooperation or facing delays caused by foreign legal process. This transforms the DPO from a coordinator of evidence requests into the primary custodian of audit-ready records, directly satisfying the documentation obligations in GDPR Articles 5(2) and 30.
What does Swiss FADP Article 10 require, and how does it differ from GDPR Article 37?
The revised Swiss FADP, in force since September 2023, allows private-sector organisations to voluntarily designate a data protection advisor under Article 10, which can reduce the Federal Data Protection and Information Commissioner's power to initiate certain advisory proceedings. Unlike GDPR Article 37, designation is not mandatory for most Swiss private organisations, the advisor need not be a formal DPO, and the independence requirements are less prescriptive. Organisations operating under both frameworks need a dual-role structure: a GDPR-compliant DPO covering EU-resident data subjects, and a FADP Article 10 advisor covering Swiss-resident data subjects, with a documented allocation of responsibilities between the two.
How should an Article 30 record of processing activities be structured when an organisation uses both sovereign on-premises systems and residual legacy cloud services?
The Article 30 record must reflect the actual processing environment. Each processing activity entry should identify whether processing occurs on sovereign infrastructure (including the specific server location and jurisdiction), on a residual legacy cloud service (naming the provider, their country of establishment and any applicable foreign law exposure such as the US CLOUD Act), and the legal basis and transfer mechanism for any cross-border flow. The DPO should flag legacy cloud entries as requiring a time-bound migration plan or a supplementary transfer impact assessment, keeping the record a living document rather than a static inventory.
What must be documented to prove DPO independence to a supervisory authority under the EDPB 2024u20132027 Strategy?
The EDPB 2024u20132027 Strategy identifies enforcement of DPO structural independence as a recurring priority. Documentation should include the formal designation decision naming the DPO and defining the scope of their mandate, an organisational chart showing the direct reporting line to the highest management level, a written policy prohibiting instructions to the DPO on the exercise of their tasks, evidence of the budget and staff resources allocated to the DPO function, and records of DPO involvement in procurement decisions including signed-off DPIAs. Where sovereign infrastructure is in use, access rights for the DPO to infrastructure logs and SIEM systems should also be documented.