Under the European General Data Protection Regulation (GDPR), which will start to apply on 25 May 2018, many companies will be required to appoint a Data Protection Officer (DPO). Violating the requirements relating to the appointment of a DPO can be sanctioned with fines of up to EUR 10 million or up to 2 percent of the total worldwide annual turnover, whichever is higher. So, who do you appoint as your DPO?
Companies may choose to appoint an employee of the company as an internal DPO or a professional data privacy advisor as an external DPO. The appointed DPO must have the necessary knowledge and expertise in data protection law and must be reliable as well as independent. When is a DPO reliable and independent? This is not always a straightforward question in practice and it makes sense to look at how this requirement is interpreted to date in Germany, where companies have long been required to appoint a DPO.
According to the current interpretation of the existing German data protection law, the DPO must not have any duties which conflict with the monitoring obligations of the DPO. The Bavarian Data Protection Authority (BayLDA) takes the position in its recent activity report here (German only) that members of the legal department may in certain cases have a conflict of interest which disqualifies those individuals from acting as DPO. In particular, if the legal counsel may represent the company in a legal proceeding (especially with regard to legal actions against employees or customers, which may include data privacy related aspects), the legal counsel is subject to a conflict of interest and, therefore, not independent.
This may reduce the potential internal candidates for the role of the DPO significantly:
The Art. 29 Working Party stated recently here that individuals with a senior management position, such as chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments can have a conflict of interest and are therefore not suitable candidates for the DPO position (also supported by the Bay LDA: as we reported here).
In principle, a member of the company's internal legal counsel team would be a suitable candidate for the DPO, especially if such legal counsel has data privacy experience. Moreover, the skills of a lawyer can be helpful when dealing with the Data Protection Authorities, which will be a core aspect of the DPO's responsibilities. A company contemplating appointing a member of the legal department as DPO must ensure that this internal legal counsel is excluded from representing the company in any legal proceedings which may cause a potential conflict of interest. The position of the BayLDA goes beyond the position of the Art. 29 Working Party which states that an external DPO has a conflict of interest if this DPO represents the company in legal actions relating to data privacy issues before the courts.
When considering potential internal candidates for the position of the DPO, amongst other things, companies will therefore need to pay attention to potential conflicts of interest.