27 October 2016
The Bavarian State Commissioner for Data Protection (‘BayLDA’) announced, on 20 October 2016, that it had issued a fine to an organisation regarding its appointment of an employee as a data protection officer (‘DPO’) who also held the position of IT manager.
Dr Jochen Lehmann, Partner at GÖRG Partnerschaft von Rechtsanwälten mbB, told DataGuidance, “The decision by the BayLDA is by no means surprising or unusual. It is commonplace under German data protection law, particularly with respect to Section 4f of the Federal Data Protection Act 2003 (‘BDSG’) that the DPO has to be independent in performing his/her duties and therefore certain persons within an enterprise are not eligible, mostly because they would have to monitor their own work.”
In its decision, the BayLDA stressed that a DPO cannot fulfil his/her tasks while also having significant operational responsibility for data processing activities, such as in the case of an IT management position, because this represents a conflict of interest.
Holger Lutz, Partner at Baker & McKenzie, highlighted, “The DPO must demonstrate the reliability necessary for the performance of his duties. Personal reliability cannot be expected if the DPO has other tasks and duties, which are incompatible with that position. Such incompatibility is assumed in the case of the following persons, regardless of the person’s character or attitude, (i) the owner, managing board member, managing directors and other lawfully or constitutionally appointed managers; (ii) persons who might have a conflict of interest (e.g., IT managers, HR managers, persons managing tasks in operational units dealing with extensive amounts of and/or particularly sensitive personal data); and/or (iii) close relatives of the above.”
Personal reliability cannot be expected if the DPO has other tasks and duties, which are incompatible with that position
Prior to the imposition of a fine by the BayLDA, the organisation made commitments to take steps to ensure compliance with the BDSG. Nevertheless, such commitments were not followed by evidence that a new DPO had been appointed.
Lehmann commented, “The BayLDA was actually very lenient in this particular case as it waited for several months for a new DPO to be appointed and only then imposed a fine. That is rather typical for German regulators who try to find a consensual approach and regard a fine as a last resort.”
Moving forward, the General Data Protection Regulation (‘GDPR’), which will become applicable on 25 May 2018, specifies that the DPO’s role could be complemented by other tasks and duties, but at the same time it establishes that the controller or processor should ensure the absence of conflicts of interest in the tasks assigned to the DPO.
Lutz concluded, “The BayLDA decision did not anticipate the GDPR (it was exclusively based on the BDSG). However, it is likely that the interpretation of ‘incompatible tasks and duties’ will remain similar under Article 38(6) of the GDPR. Under the BDSG, the failure to appoint a DPO can be subject to administrative fines of up to €50,000. Under the GDPR, the potential fines for a failure to appoint a DPO will increase to €10 million or 2% of the annual turnover of the preceding financial year, whichever is higher.”
Cristina Ulessi | Privacy Analyst