The Belgian Data Protection Authority holds that a Data Protection Officer (DPO) may not himself/herself delete personal information of a data subject.

Doing so constitutes a violation of the General Data Protection Regulation’s prohibition of conflicts of interest for the DPO (Article 38(6) of GDPR).

Rather, all decisions regarding the processing must be taken by the data controller with the DPO. Per Article 38-39 of GDPR, the DPO’s role is to “inform and advise” and “monitor compliance,” as well as “act as the contact point for the supervisory authorities” and for data subjects. However, any decisions regarding data processing, including deletion of data, must be made by the data controller.

Read the full text of the opinion.