Nov 102016

BayLDA fines organisation for DPO appointment

William RM Long and Thomas Fearon
, , , ,

The Bavarian State Commissioner for Data Protection (“BayLDA“) announced on October 20, 2016, that it had fined a company for appointing an IT manager as its data protection officer (“DPO“). Germany’s strict data protection laws mean that appointing a DPO has long been a requirement for some companies in Germany, whereas in most other EU Member States there will be no such requirement until the General Data Protection Regulation (“GDPR”) takes effect.

Section 4f of the Federal Data Protection Act 2003 states that “only persons who possess the specialized knowledge and demonstrate the reliability necessary for the performance of the duties concerned may be appointed a data protection official.” German data protection law also provides that a DPO must perform his/her duties independently. In light of this, BayLDA declared that a DPO cannot fulfill his/her tasks while also having significant operational responsibility for data processing activities. In this case, simultaneously holding the role of IT manager created a conflict of interest that meant the individual could not also hold the position of DPO. BayLDA was of the opinion that personal reliability cannot be expected if the DPO has other tasks and duties, which are incompatible with their position.

This applies to persons other than those in the IT department. Board members, other senior managers, HR managers and persons managing tasks which involve the processing of large amounts of personal data are by this logic also unsuitable for the role of DPO. If consideration is given to  appointing an internal candidate as DPO, where that person is expected to also retain his/her current job role, care must be therefore taken to ensure that they will be able to independently carry out the duties of a DPO and not be in a position of reviewing data privacy aspects of their own work.

This decision by BayLDA is particularly relevant because of the requirement to appoint a DPO, in certain cases, under the GDPR, which will take effect on May 25 2018. The GDPR specifies that the DPO’s role can be complemented by other tasks and duties, but, the controller or processor must ensure that any such tasks and duties do not result in a conflict of interest.

The GDPR will apply to businesses in the EU and countries outside the EU that have data on Europeans. It will introduce new privacy requirements and new rights (e.g. right to erasure of data), which if breached could lead to fines of up to the greater of up to four per cent of annual worldwide turnover or €20,000,000.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.