Nov 102016

BayLDA fines organisation for DPO appointment

William RM Long and Thomas Fearon
, , , ,

The Bavarian State Commissioner for Data Protection (“BayLDA“) announced on October 20, 2016, that it had fined a company for appointing an IT manager as its data protection officer (“DPO“). Germany’s strict data protection laws mean that appointing a DPO has long been a requirement for some companies in Germany, whereas in most other EU Member States there will be no such requirement until the General Data Protection Regulation (“GDPR”) takes effect.

Section 4f of the Federal Data Protection Act 2003 states that “only persons who possess the specialized knowledge and demonstrate the reliability necessary for the performance of the duties concerned may be appointed a data protection official.” German data protection law also provides that a DPO must perform his/her duties independently. In light of this, BayLDA declared that a DPO cannot fulfill his/her tasks while also having significant operational responsibility for data processing activities. In this case, simultaneously holding the role of IT manager created a conflict of interest that meant the individual could not also hold the position of DPO. BayLDA was of the opinion that personal reliability cannot be expected if the DPO has other tasks and duties, which are incompatible with their position.

This applies to persons other than those in the IT department. Board members, other senior managers, HR managers and persons managing tasks which involve the processing of large amounts of personal data are by this logic also unsuitable for the role of DPO. If consideration is given to  appointing an internal candidate as DPO, where that person is expected to also retain his/her current job role, care must be therefore taken to ensure that they will be able to independently carry out the duties of a DPO and not be in a position of reviewing data privacy aspects of their own work.

This decision by BayLDA is particularly relevant because of the requirement to appoint a DPO, in certain cases, under the GDPR, which will take effect on May 25 2018. The GDPR specifies that the DPO’s role can be complemented by other tasks and duties, but, the controller or processor must ensure that any such tasks and duties do not result in a conflict of interest.

The GDPR will apply to businesses in the EU and countries outside the EU that have data on Europeans. It will introduce new privacy requirements and new rights (e.g. right to erasure of data), which if breached could lead to fines of up to the greater of up to four per cent of annual worldwide turnover or €20,000,000.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.