The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed a fine of 525,000 euros on the subsidiary of a Berlin-based retail group. Reproach: Conflict of interest of the company data protection officer!
In this case, the trading company had appointed a data protection officer who was supposed to independently control decisions that he himself had made in a different capacity.
Tasks of a company DPO
On the one hand, a company data protection officer has the task of advising the company on its data protection obligations. On the other hand, he or she monitors compliance with data protection regulations. There shall be no conflict of interest in connection with other tasks of the DPO (see Article 38 (6) sentence 2 of the General Data Protection Regulation (GDPR)).
Senior leaders in the company who make decisions about the processing of personal data would virtually control themselves in their role as DPO. In the present case, according to the BlnBDI, exactly this circumstance existed: The data protection officer of the retail group was at the same time the managing director of two service companies – which process personal data on behalf of the company.
The service companies are also part of the group; provide customer service and execute orders. The data protection officer thus had to monitor compliance with data protection law by the service companies operating within the framework of commissioned processing, which were managed by himself as managing director: According to the BlnBDI, this constituted a conflict of interest and thus a violation of the GDPR.
Advantage of an external DPO
Ultimately, this violation underlines the importance of the independence of the DPO, which is always maintained in the form of an externally appointed DPO. The fine, which in this case was based on the millions in turnover of the retail group in the previous year, clearly exceeds the costs of an external data protection officer.