BayLDA fines organisation for DPO appointment

The Bavarian State Commissioner for Data Protection (“BayLDA“) announced on October 20, 2016, that it had fined a company for appointing an IT manager as its data protection officer (“DPO“). Germany’s strict data protection laws mean that appointing a DPO has long been a requirement for some companies in Germany, whereas in most other EU Member States there will be no such requirement until the General Data Protection Regulation (“GDPR”) takes effect.

Section 4f of the Federal Data Protection Act 2003 states that “only persons who possess the specialized knowledge and demonstrate the reliability necessary for the performance of the duties concerned may be appointed a data protection official.” German data protection law also provides that a DPO must perform his/her duties independently. In light of this, BayLDA declared that a DPO cannot fulfill his/her tasks while also having significant operational responsibility for data processing activities. In this case, simultaneously holding the role of IT manager created a conflict of interest that meant the individual could not also hold the position of DPO. BayLDA was of the opinion that personal reliability cannot be expected if the DPO has other tasks and duties, which are incompatible with their position.

This applies to persons other than those in the IT department. Board members, other senior managers, HR managers and persons managing tasks which involve the processing of large amounts of personal data are by this logic also unsuitable for the role of DPO. If consideration is given to  appointing an internal candidate as DPO, where that person is expected to also retain his/her current job role, care must be therefore taken to ensure that they will be able to independently carry out the duties of a DPO and not be in a position of reviewing data privacy aspects of their own work.

This decision by BayLDA is particularly relevant because of the requirement to appoint a DPO, in certain cases, under the GDPR, which will take effect on May 25 2018. The GDPR specifies that the DPO’s role can be complemented by other tasks and duties, but, the controller or processor must ensure that any such tasks and duties do not result in a conflict of interest.

The GDPR will apply to businesses in the EU and countries outside the EU that have data on Europeans. It will introduce new privacy requirements and new rights (e.g. right to erasure of data), which if breached could lead to fines of up to the greater of up to four per cent of annual worldwide turnover or €20,000,000.