BlnBDI (Berlin) - 20.09.2022: Difference between revisions
No edit summary |
|||
Line 66: | Line 66: | ||
=== Facts === | === Facts === | ||
The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and | The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and carried out orders. | ||
In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it. | In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it. | ||
Line 75: | Line 75: | ||
[[Article 37 GDPR|Article 37(6) GDPR]] makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves. | [[Article 37 GDPR|Article 37(6) GDPR]] makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves. | ||
The Acting | The Acting Head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to [[Article 38 GDPR#3|Article 38(3) GDPR]]. | ||
In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not legally binding. | In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not yet legally binding as it can be appealed. | ||
== Comment == | == Comment == |
Revision as of 15:28, 28 September 2022
BlnBDI - Berlin DPO Conflict of Interest | |
---|---|
Authority: | BlnBDI (Berlin) |
Jurisdiction: | Germany |
Relevant Law: | Article 38(6) GDPR Article 38(6) DS-GVO |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 20.09.2022 |
Fine: | 525,000 EUR |
Parties: | n/a |
National Case Number/Name: | Berlin DPO Conflict of Interest |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | German |
Original Source: | BInBDI (in DE) |
Initial Contributor: | Sainey Belle |
The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for violating Article 38(6) GDPR due to the conflict of interest of their DPO who independently monitored decisions made in their capacity as an executive of the company.
English Summary
Facts
The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and carried out orders.
In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.
A warning against the controller was issued by the BlnBDI in 2021. However, after conducting a renewed inspection, it found that the violation continued despite the warning.
Holding
Article 37(6) GDPR makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves.
The Acting Head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to Article 38(3) GDPR.
In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not yet legally binding as it can be appealed.
Comment
This summary was written based on a press release, as the official decision has not been published yet.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
PRESS RELEASE Berlin, September 20, 2022 Conflict of interest of the company data protection officer: 525,000 euros fine against the subsidiary of a Berlin e-commerce group The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has against the Subsidiary of a Berlin trading group fined 525,000 euros of a conflict of interest imposed by the company data protection officer. The enterprise had appointed a data protection officer who was to independently monitor decisions whom he had met in another capacity. The fine is not yet final. Company data protection officers have an important task: They advise the company with regard to data protection obligations and monitor compliance Privacy Policy. According to Art. 38 Para. 6 Sentence 2 data protection Basic Regulation (DS-GVO) only exercise persons who do not have any conflicts of interest subject to other duties. This would be, for example, for people with managerial positions in This is the case for companies that have the authority to make decisions about the processing of data meet personal data in the company. The task must therefore not be carried out by persons are perceived, which would thereby monitor themselves. According to the BlnBDI, there was a conflict of interest in the case of a data protection officer Subsidiary of a Berlin e-commerce group. The person was at the same time Managing directors of two service companies who work on behalf of exactly that company processed personal data for which he worked as data protection officer. This Service companies are also part of the group; provide customer service and execute orders. Berlin Commissioner for Data Protection Phone: 030 13889-900 Email: presse@datenschutz-berlin.de and Freedom of Information (BlnBDI) Fax: 030 215 50 50 Website: www.datenschutz-berlin.de Friedrichstr. 219, 10969 Berlin Responsible: Simon Rebiger Entrance: Puttkamerstr. 16-18 Office: Cristina Vecchi The data protection officer therefore had to ensure compliance with data protection law by the monitor the service companies active in order processing, which he himself considers directors were managed. In this case, the BlnBDI saw a conflict of interest and thus a violation of the General Data Protection Regulation. The supervisory authority therefore initially issued a warning against the company in 2021. After a re-examination this year revealed that the violation despite the warning persisted, the BlnBDI imposed the fine, which is not yet legally binding. Volker Brozio, Acting Head of the BlnBDI: “This fine underlines the important role of data protection officers in companies. A data protection officer can not on the one hand monitor compliance with data protection law and on the other hand about it co-decide. Such self-regulation contradicts the function of a data protection officer, which is supposed to be an independent body responsible in the company for compliance with the data protection." When assessing the fine, the BlnBDI took into account the three-digit million turnover of the e- Commerce Group in the previous fiscal year and the significant role of the Data protection officer as contact person for the large number of employees and customers. The intentional re-appointment of the data protection officer via fast was also taken into account one year despite the warning already issued. Among other things, classified that that Company worked extensively with the BlnBDI and reported the violation during the ongoing fine proceedings. “To avoid data breaches, companies should avoid any dual roles of the company data protection officers in corporate structures for conflicts of interest,” says Brozio. "This applies in particular when order processing or joint Responsibilities exist between the group companies.” Page 2 of 2