In a press release dated 20th of September 2022, the Berlin Data Protection Authority announced that it imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group due to a conflict of interests arising from the company's data protection officer (“DPO”).
In this matter, the Berlin DPA was prosecuting an e-commerce whose DPO was also acting as the managing director of the two service companies that processed personal data on behalf of the e-commerce group.
Consequently, the Berlin DPA considered that the DPO was in charge of monitoring processing activities that he himself contributed to defining as a managing director of two entities of the same group.
The Berlin DPA considered this to be a situation of conflict of interests, and therefore concluded to the breach of Article 38(6) of the GDPR. They consequently imposed the fine.
According to the Berlin DPA, as cited in the press release, such self-monitoring contradicts the function of a DPO, who is supposed to be an independent advisor in the company in charge of overseeing the monitoring of compliance with data protection laws.
The extent of the fine (EUR 525,000) reflects not only the violation of Article 38(6) of the GDPR, but also that the organisation subject to the fine was warned by the regulator about issues surrounding their DPO function in 2021 and took no action on the basis of those warnings.
Article 38 (6) of the GDPR provides that whilst DPOs can perform other duties, controllers and processors must ensure that any such ‘other’ task or duty does not put the DPO in a position of conflict of interests.
In 2016, the Article 29 Working Party issued guidelines on DPOs (the “Guidelines on DPOs”), which were revised in 201[2], specifically addressing GDPR requirements. Regarding conflicts of interest, the Guidelines on DPOs state that:
“the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” (emphasis added).
These guidelines further specify that:
“As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.” (emphasis added).
Previous cases have enforced provisions in relation to situations of conflict of interests for DPOs, in various European countries:
Evidently, the prevention of such conflicts of interests is a key challenge for many companies, as it often proves difficult to identify profiles that are knowledgeable enough in data protection, whilst not being involved in the making of decisions in these matters.
Key Takeaways:
You can find a free translation of the German press release of the decision here