Double-hat DPOs: Berlin Data Protection Authority fines an e-commerce platform for breaching DPO conflict of interest requirements

In a press release dated 20th of September 2022, the Berlin Data Protection Authority announced that it imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group due to a conflict of interests arising from the company's data protection officer (“DPO”).

What happened?

In this matter, the Berlin DPA was prosecuting an e-commerce whose DPO was also acting as the managing director of the two service companies that processed personal data on behalf of the e-commerce group.

Consequently, the Berlin DPA considered that the DPO was in charge of monitoring processing activities that he himself contributed to defining as a managing director of two entities of the same group.

The Berlin DPA considered this to be a situation of conflict of interests, and therefore concluded to the breach of Article 38(6) of the GDPR. They consequently imposed the fine.

According to the Berlin DPA, as cited in the press release, such self-monitoring contradicts the function of a DPO, who is supposed to be an independent advisor in the company in charge of overseeing the monitoring of compliance with data protection laws.

The extent of the fine (EUR 525,000) reflects not only the violation of Article 38(6) of the GDPR, but also that the organisation subject to the fine was warned by the regulator about issues surrounding their DPO function in 2021 and took no action on the basis of those warnings.

Is there any guidance on “conflict of interests”?

Article 38 (6) of the GDPR provides that whilst DPOs can perform other duties, controllers and processors must ensure that any such ‘other’ task or duty does not put the DPO in a position of conflict of interests.

In 2016, the Article 29 Working Party issued guidelines on DPOs (the “Guidelines on DPOs”), which were revised in 201[2], specifically addressing GDPR requirements. Regarding conflicts of interest, the Guidelines on DPOs state that:

“the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” (emphasis added).

These guidelines further specify that:

“As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.” (emphasis added).

Previous cases have enforced provisions in relation to situations of conflict of interests for DPOs, in various European countries:

• The Bavarian State Office for Data Protection Supervision ruled in 2016 that the position of IT Manager of a company was incompatible with the duties of a DPO under the then-German data protection law.
• In May 2019 the litigation chamber of the Belgian DPA considered that the DPO should not take the decision on whether or not to delete personal data at the request of an individual. Instead, the DPO should only advise the data controller to do so.
• In April 2020 and December 2021, two further decisions were made where the Belgian DPA issued a fine due to a conflict of interests of the company’s DPO (see our article here).
• In 2021, the Berlin DPA imposed a fine on a clinic because they appointed a clinic manager as their DPO. In this case, the clinic manager was also a shareholder of the clinic.

Evidently, the prevention of such conflicts of interests is a key challenge for many companies, as it often proves difficult to identify profiles that are knowledgeable enough in data protection, whilst not being involved in the making of decisions in these matters.

Key Takeaways:

• The appointment of the DPO should be carefully considered, taking into account the requirements in relation to conflicts of interest and the DPO’s independence.
• Double-hat DPOs should be avoided, as such double roles increase the risk of a conflict of interests, especially for persons with executive functions.
• In case a double-hat DPO cannot be avoided, and where the DPO also defines the purpose and the means of some processing activities in the context of another role, businesses could consider appointing a deputy DPO in charge of monitoring those of the processing activities subject to a situation of conflict of interests.

You can find a free translation of the German press release of the decision here