A surprising Estonian court decision raises fundamental questions about one of GDPRโ€™s most rigid requirements

In a case that has sent ripples through the data protection community, Estoniaโ€™s Tartu District Court overturned an โ‚ฌ85,000 fine imposed by the Estonian Data Protection Authority against genetic testing company Asper Biogene, concluding that the penalty cancellation was justified despite serious data breaches. While the data leak itself was severeโ€”affecting approximately 10,000 people whose genetic and health data, including paternity tests, fertility tests, and genetic conditions information, was illegally downloadedโ€”what makes this case particularly intriguing is the Authorityโ€™s focus on a seemingly technical violation: the companyโ€™s Data Protection Officer (DPO) lacked the independence required under GDPR Article 38(3).

Embedded content

The Case: A โ‚ฌ85,000 Fine Overturned

The Estonian Data Protection Authority had fined Asper Biogene for two critical violations. First, the company appointed its sole board member as the DPO, who lacked both the necessary independence and competence for the role. Second, the Authority found that Asper Biogene had not implemented sufficient security measures, which led to the cyberattack in autumn 2023 that gave external parties access to the companyโ€™s database, including special category personal data.

The District Court agreed that appointing the DPO constituted a violation, emphasizing that a board member who manages the companyโ€™s activities and determines the purposes and means of data processing cannot simultaneously independently fulfill the duties of a DPO. However, the court found that the violation was committed through negligence and took into account that the company later appointed a competent specialist and implemented additional security measures. The court terminated the misdemeanor proceedings based on expediency considerations, finding that the guilt was minor and there was no public interest in prosecution.

The Supreme Court of Estonia ultimately decided in August 2025 not to hear the Data Protection Authorityโ€™s cassation appeal, effectively ending the legal proceedings.

The Law vs. Reality: GDPRโ€™s Independence Paradox

The legal requirements are crystal clear. Article 38(3) of GDPR states that โ€œthe controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasksโ€ and โ€œshall directly report to the highest management level of the controller or the processorโ€. Additionally, Article 38(6) emphasizes that while the DPO may fulfill other tasks and duties, these should not result in a conflict of interests, with guidance stating that the DPO may not hold positions which result in determining the purposes and means of processing.

European regulators have been increasingly strict about this requirement. Data protection authorities across the European Union have increasingly imposed fines on organizations for appointing DPOs with conflicts of interest, including cases where Italian authorities fined a public body โ‚ฌ6,000 for appointing a DPO who held multiple key positions. The Belgian Data Protection Authority issued a โ‚ฌ50,000 fine to an organization for appointing the head of compliance, audit and risk management as DPO, arguing that combining these roles creates a conflict of interest.

But hereโ€™s where theory meets an uncomfortable reality: the independence requirement, while legally mandated, may be practically meaningless given the actual role and powers of a DPO under GDPR.

Biotech Risk Calculator - Digital Twin Security Assessment

The Fundamental Contradiction

The GDPR creates a curious contradiction in the DPO role. On one hand, it demands fierce independenceโ€”no instructions, direct reporting to top management, protection from dismissal. On the other hand, it provides the DPO with virtually no actual authority to enforce compliance.

Under Articles 38 and 39, the DPO has six major tasks: monitoring compliance, advising the organization, serving as a contact point for supervisory authorities, conducting training, performing data protection impact assessments, and receiving comments from data subjects. Notably absent from this list is any enforcement power.

The DPO is fundamentally:

  • An internal advisor with no power to compel action- A liaison between the organization and data subjects/authorities- A monitor who observes but cannot directly intervene

As regulatory guidance emphasizes, โ€œAll decisions regarding the data processing must be taken by the data controller with the advice of the DPOโ€. The controllerโ€”not the DPOโ€”remains fully responsible for all data processing decisions and GDPR compliance.

Why Independence Becomes Irrelevant

This structure renders the independence requirement practically pointless for several reasons:

1. No Decision-Making Authority

Since the DPO cannot make binding decisions about data processing, their independence from management structures doesnโ€™t change the fundamental power dynamics. Whether independent or not, they can only adviseโ€”the controller decides.

2. Full Controller Liability

The controller remains responsible for all GDPR compliance regardless of DPO advice. If the controller ignores DPO recommendations, the controllerโ€”not the DPOโ€”faces regulatory sanctions. Independence doesnโ€™t shift this liability.

3. Resource Dependency

Even an โ€œindependentโ€ DPO depends entirely on the controller for resources, access to information, and organizational cooperation. The GDPR requires controllers to provide โ€œadequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their obligationsโ€. True independence is impossible when you depend on the very entity youโ€™re supposed to independently monitor.

4. Information Asymmetry

The DPOโ€™s effectiveness depends on complete information about organizational data processing activities. Controllers maintain full control over what information the DPO receives and when. Independence means little if the controller can simply withhold relevant information.

What Really Matters: Expertise Over Independence

The Asper Biogene case inadvertently highlights what should be the real focus: competence rather than independence. The court noted that the board member serving as DPO lacked both โ€œthe necessary independence and competence for the roleโ€, but from a practical standpoint, the competence deficit was likely far more damaging than the independence issue.

Article 37(5) requires that โ€œthe data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39โ€. This expertise requirement is what enables a DPO to provide valuable guidance, regardless of their organizational position.

A competent DPO who understands both legal requirements and business operations can:

  • Identify privacy risks early in project development- Design practical compliance solutions- Provide credible advice that management trusts- Build effective privacy programs

The Small Business Reality

The independence requirement becomes particularly absurd for smaller organizations. SMEs often operate at full capacity, making hiring a full-time dedicated DPO unreasonable. Forcing these companies to choose between artificial independence and practical competence often results in neither.

Consider a small genetic testing company like Asper Biogene. The board member serving as DPO likely had the deepest understanding of the companyโ€™s data processing activities, business model, and operational constraintsโ€”exactly the knowledge needed to provide effective privacy guidance. Requiring a separate, โ€œindependentโ€ person with less institutional knowledge may actually reduce the quality of privacy oversight.

A More Pragmatic Approach

Rather than focusing on formal independence, regulations should emphasize:

Competence Requirements

Detailed standards for DPO expertise, including both legal knowledge and practical experience with similar data processing operations.

Transparency Obligations

Clear requirements for DPOs to document their advice and recommendations, creating an auditable record of privacy guidance.

Accountability Mechanisms

Systems ensuring that controllers must formally respond to DPO recommendations, either implementing them or documenting why theyโ€™re rejected.

Resource Guarantees

Specific minimum resource allocations ensuring DPOs can perform their advisory functions effectively.

Regulatory Overreach or Necessary Protection?

Critics might argue that independence requirements serve important symbolic functionsโ€”signaling the importance of privacy, creating cultural separation between compliance and business functions, and providing psychological protection for individuals raising privacy concerns.

However, as one analysis noted, โ€œwhile empowering the Data Protection Officer is paramount in demonstrating high ethical standards, organizations are ultimately responsible for signing off on decisionsโ€. The accountability ultimately rests with the controller, not the DPO.

The Estonian Courtโ€™s Wisdom

The Tartu District Courtโ€™s decision to terminate proceedings based on โ€œexpediency considerationsโ€ and finding that โ€œguilt was minorโ€ suggests a pragmatic recognition that formal independence violations may not warrant severe punishment when substantive harm is limited and remediation has occurred.

The Estonian Data Protection Authority maintains that โ€œDPO independence is not merely a formal requirement and this role cannot be fulfilled by a person who simultaneously manages the organizationโ€, but the courtโ€™s decision implies a more nuanced view of proportionality in enforcement.

Conclusion: Time for Regulatory Evolution

The Asper Biogene case exposes a fundamental tension in GDPRโ€™s DPO framework: rigid independence requirements that may undermine the practical effectiveness of privacy oversight. While the regulationโ€™s intentโ€”ensuring objective privacy guidanceโ€”is admirable, the execution creates bureaucratic obstacles that may not serve the ultimate goal of protecting personal data.

As the GDPR approaches its seventh year of implementation, regulators should consider whether formal independence requirements are the best way to achieve effective privacy governance, or whether a focus on competence, transparency, and accountability might better serve both organizations and data subjects.

The genetic data of 10,000 Estonian individuals was compromised not because their DPO lacked independence, but because of inadequate security measures and cybercriminal attacks. Perhaps itโ€™s time to focus regulatory attention where it can make the biggest difference: on the substantive protection of personal data rather than the organizational charts of those tasked with guiding that protection.

The Asper Biogene case demonstrates that sometimes the most legally clear requirements may be practically irrelevant. As data protection law matures, distinguishing between form and substance becomes increasingly important for effective privacy governance.