We all know of senior management (or indeed others lower down in the structure) who also wear another hat in their organisations: that of a data protection officer (DPO). Data protection law allows DPOs to have other roles, provided their tasks and duties don’t give rise to conflicts of interest (e.g. where a DPO determines the purpose and means of data processing). Some organisations take a somewhat relaxed approach to the issue of DPO conflicts – after all, they say: "what's the risk?" Well, if this recent fine issued to an online retailer by the Berlin DPA is anything to go by, the risk is a €500k deduction from the organisation's balance sheet.
Before we take a look at the fine, some readers might ask why we're wasting our/their time on this topic given that in the new 'deregulated-but-still-adequate-(for now)' UK, the writing is seemingly on the wall for DPOs.
Well, it's true that clause 14(2) of the Data Protection and Digital Information Bill replaces DPOs with a “senior responsible individual” (let's call them an SRI) who will be responsible for data protection risks within their organisations where there is high risk processing.
Interestingly, the SRI's tasks listed in the Bill will seem remarkably familiar to readers who are currently DPOs.
Of more relevance here, the Bill is also clear that where the performance of one of their tasks would result in a conflict of interests, the 3 letter acronym must secure that the task is performed by another person. That person must be suitably qualified and can't be told how to do their job. Again, familiar.
Hence us considering that the Berlin DPA's decision to fine a large e-commerce group for a DPO conflict might potentially be of interest to UK readers in organisations without EU subsidiaries, even post-deregulation.
The limited facts, based on a Google machine translation of a press release issued by the Berlin DPA, are simple.
The DPO of a subsidiary of an e-commerce group was also the managing director of 2 other group companies. Those companies were engaged by the subsidiary to provide it with services such as order processing.
He therefore had to monitor the data protection compliance of the service companies which he also managed in his capacity as MD.
The Berlin DPA warned the subsidiary about this conflict of interests back in 2021. A year later, no changes had been made. That's apparently why a fine was issued.
Commenting on the fine, the acting head of the Berlin DPA reportedly observed: "This fine underscores the important role of data protection officers in companies. A data protection officer cannot on the one hand monitor compliance with data protection law and on the other hand have a say in it. Such self-regulation contradicts the function of a data protection officer, which is supposed to be an independent body responsible in the company for compliance with data protection."
In other words, DPOs can't mark their own homework.
He went on to comment (us paraphrasing, as the translation went a bit haywire) that organisations should avoid DPOs having dual roles in corporate structures due to conflicts of interest, in particular where there is order processing or joint responsibilities between group companies.
In reaching the (somewhat harsh?) €500k figure, apparently the DPA took into account the following facts:
- group turnover in the previous year (€3-digit million)
- the DPO's significant role as contact point for a large number of employees and customers
- an intention to re-appoint a DPO
- the company's extensive cooperation with the DPA
- its remediation of the issue during the course of the fine proceedings
Apparently this fine isn't necessarily the last word, but still serves as a cautionary tale that DPO conflicts are a risk which organisations shouldn't ignore.
The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed a fine of 525,000 euros on the subsidiary of a Berlin trading group because of a conflict of interest of the company data protection officer. The company had appointed a data protection officer to independently monitor decisions that he himself had made in another capacity. The fine is not yet final.