German Data Protection Authority fined a company for having the IT manager appointed as Data Protection Officer – A greater risk under the European General Data Protection Regulation?
According to the German Federal Data Protection Act ("FDPA") companies must appoint a Data Protection Officer ("DPO") if (inter alia) at least ten persons are involved in the automated processing of personal data. Companies may choose to appoint an employee of the company as an internal DPO or may appoint a professional data privacy advisor as an external DPO. The appointed DPO must possess the necessary knowledge of data protection law and must be reliable and independent. According to the current interpretation of the FDPA, reliability and independency also include that the DPO must not have other duties which conflict with the monitoring obligations of the DPO under the FDPA.
The Bavarian Data Protection Authority ("BayLDA") saw such a conflict of interests because the appointed internal DPO also acted as the IT manager of the company. The BayLDA argued that the position of an IT manager is incompatible with the position of the DPO because the DPO would be required to monitor himself, i.e. whether his activities as IT manager are in compliance with the data protection law. Such self-monitoring contradicts the required independency that is expected from the DPO.
According to the concept of the FDPA, the DPO shall basically assume the general monitoring obligations that would otherwise rest with the Data Protection Authorities (without of course limiting the audit and control rights of the Data Protection Authorities), hence independency is a key aspect. In the case at hand, the BayLDA informed the company about this conflict and repeatedly requested the company to appoint a new DPO.
As the company failed to appoint such a new DPO, the BayLDA imposed a fine, the amount of which is unknown. Such a conflict of interests could also be seen if the DPO is the head of other departments that are heavily involved in the processing of personal data such as HR, legal, or marketing.
Under the European General Data Protection Regulation ("GDPR") which will come into effect on May 25, 2018, the requirement of a mandatory DPO will also apply to companies in other European Member States (or even outside of the EU). In particular, a DPO will be required if the core business activities consist of the regular and systematic monitoring of data subjects on a large scale or of the processing on a large scale of sensitive data (in particular health data or biometric data) or personal data relating to criminal convictions and offences.
Moreover, the Member States may enact further provisions on the appointment of a DPO on a national level. The GDPR requires that the company must ensure that any further tasks and duties of the DPO do not result in a conflict of interests. A violation of the obligations relating to the DPO may result in fines of up to 10.000.000 EUR or up to 2% of the total worldwide annual turnover, whichever is higher.
Companies that will be subject to the GDPR should pay attention to potential conflict of interests before appointing a DPO.
Press release by the BayLDA, dated October 20, 2016 (German only): https://www.lda.bayern.de/media/pm2016_08.pdf