The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed a fine of 525,000 euros on the subsidiary of a Berlin-based retail group because of a conflict of interest on the part of the company's data protection officer. The company had appointed a data protection officer to independently monitor decisions that he himself had made in another capacity. The fine is not yet legally binding.
Data privacy officers must be independent
Company data protection officers have an important task: they advise the company on its obligations under data protection law and monitor compliance with data protection regulations. According to Article 38 (6) sentence 2 of the General Data Protection Regulation (GDPR), this function may only be performed by persons who are not subject to conflicts of interest due to other tasks. This would be the case, for example, for persons with executive functions in the company who themselves make authoritative decisions about the processing of personal data in the company. Accordingly, the task may not be performed by persons who would thereby monitor themselves.
According to the BlnBDI, such a conflict of interest existed in the case of a data protection officer of a subsidiary of a Berlin-based e-commerce group. The person was simultaneously the managing director of two service companies that processed personal data on behalf of the very company for which he worked as data protection officer. These service companies are also part of the group; they provide customer service and execute orders.
Data protection officers may not monitor their own decisions
The data protection officer thus had to monitor compliance with data protection law by the service companies operating within the scope of the commissioned processing, which were managed by himself as managing director. The BlnBDI saw a conflict of interest in this case and thus a violation of the General Data Protection Regulation.
Take warnings from regulators seriously!
The supervisory authority therefore initially issued a warning against the company in 2021. After a renewed inspection this year revealed that the violation continued despite the warning, the BlnBDI imposed the fine, which is not yet legally binding.
Volker Brozio, acting head of department at BlnBDI: "This fine underscores the important role of data protection officers in companies. A data protection officer cannot, on the one hand, monitor compliance with data protection law and, on the other hand, make decisions about it. Such self-monitoring contradicts the function of a data protection officer, who is supposed to be precisely an independent authority working within the company to ensure compliance with data protection."
In imposing the fine, the BlnBDI took into account the e-commerce group's sales in the triple-digit millions in the previous fiscal year and the important role of the data protection officer as a contact for the large number of employees and customers. Consideration was also given to the deliberate continued appointment of the data protection officer for almost a year despite the warning that had already been issued. Among other things, the fact that the company cooperated extensively with the BlnBDI and remedied the violation during the ongoing fine proceedings was deemed to reduce the fine.
Is your data protection officer independent and are there no conflicts of interest?
"To avoid data protection violations, companies should check any dual roles of company data protection officers in group structures for conflicts of interest," says Brozio. "This applies in particular when there is commissioned processing or joint responsibilities between group companies.
Source: Press release of the Berlin Commissioner for Data Protection and Freedom of Information of September 20, 2022