DSB (Austria) - 2024-0.641.771
DSB - 2024-0.641.771 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 38(6) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 08.10.2024 |
Decided: | 16.10.2024 |
Published: | 20.01.2025 |
Fine: | 5,500 EUR |
Parties: | n/a |
National Case Number/Name: | 2024-0.641.771 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | German |
Original Source: | RIS (in DE) |
Initial Contributor: | ao |
The DPA issued a €5,500 fine to the controller for designating a DPO who clearly had a conflict of interests and this violated Article 38(6) GDPR.
English Summary
Facts
The controller was a company which operated a diagnostic laboratory during the Covid-19 pandemic. The managing director of this company was designated as the Data Protection Officer (DPO) for the controller. This designation was never notified to the Austrian DPA (Datenschutzbehörde – DSB).
The DSB initiated an ex-officio investigation, reviewed the register of the company and conducted an oral hearing. The controller argued that throughout the Covid-19 pandemic it was more efficient to combine the role of DPO and managing director. The company had delivered test results and in order to communicate with the public entity instructing this, it was easier to have one responsible contact person.
Further, the controller stated that the managing director showed appropriate awareness of his two roles and that there had been no risk of him neglecting his data protection duties.
Holding
The DSB held that the controller had violated Article 38(6) GDPR. The controller had taken not active steps to ensure that the managing director could avoid any conflict of interest in his role as DPO.
The DSB highlighted that the controller handled a large amount of health data under Article 9(1) GDPR. The DSB reiterated that a conflict of interest can occur if the DPO lacks the appropriate temporal resources to conduct their tasks, due to other duties. Based on the CJEU judgment C-453/21, the DSB stated that the DPO cannot be entrusted with determining the means and purposes of processing as this is exactly what the DPO is supposed to independently monitor.
The DSB rejected the controller’s argument that the managing director brought with him a sense of awareness regarding his data protection obligations. The DSB held that the controller was under an obligation to inform themselves on the requirements for DPO appointments.
The DSB issued a €5,000 fine under Article 83(4) GDPR and under paragraph 64 of the Austrian Administrative Penal Act (Verwaltungsstrafgesetzes 1991 – VStG) ordered the controller to pay €500 for the procedural costs.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
GZ: 2024-0.641.771 of October 16, 2024 (case number: DSB-D550.769) [Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), statistical information, etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.] Criminal conviction Accused legal entity: D**** GmbH (FN *32*9*n) As the controller within the meaning of Art. 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR"), OJ No. L 119 of May 4, 2016, p. 1 as amended, you have realized the following facts and thereby committed the following administrative offense: From May 19, 2021 to February 26, 2024 ("time of offense"), the accused has had her commercial managing director (Dr. Edzard T***) and thus her representative under externally appointed body was appointed as data protection officer. There was no assurance that the performance of other tasks and duties of the person appointed would not lead to a conflict of interest. The accused therefore violated its duty under Art. 38 Para. 6 GDPR by appointing its commercial managing director as data protection officer, although he is subject to a conflict of interest due to his simultaneous activity as managing director and data protection officer of the accused. The accused therefore appointed an unsuitable person as data protection officer. Administrative offenses according to: Art. 37, 38 para. 6 in conjunction with Art. 83 para. 1 and 4 lit. a GDPR OJ L 2016/119, p. 1, as amended The following penalty is imposed for this administrative offense in accordance with Art. 83 GDPR: Fine of € 5,000 according to Art. 83 para. 4 lit. a GDPR OJ L 2016/119, p. 1, as amended You must also pay the following in accordance with Section 64 of the Administrative Penal Code 1991 - VStG: 500 euros as a contribution to the costs of the criminal proceedings, which is 10% of the penalty, but at least 10 euros; Euro as compensation for the cash expenses for The total amount to be paid (fine/costs/cash expenses) is therefore 5,500 euros Payment deadline: If no appeal is lodged, this penalty decision is immediately enforceable. The total amount must in this case be transferred to the account [account details shortened] within two weeks of the decision becoming final. If no payment is made within this period, the total amount can be demanded. In this case a flat-rate contribution to costs of five euros must be paid. If no payment is made, the outstanding amount will be enforced. Reason: 1. The following facts relevant to the decision have been established on the basis of the evidence procedure carried out: 1.1. The accused is a limited liability company registered on May 19, 2021 under the company register number FN *32*9*n, with its registered office at M***platz *6, **** H***stadt. 1.2. Dr. Edzard T***, born on **.**.199*, has represented the accused independently as a commercial managing director since May 19, 2021 and was also a shareholder of the accused until February 17, 2023. The accused appointed Dr. Edzard T*** as data protection officer. The appointed data protection officer did not report this to the data protection authority. The accused has not taken any active steps - in the sense of external and visible measures - to ensure that the role of managing director and data protection officer, which is unified in one person, is not subject to any potential conflicts of interest. 1.3. Dr. Edzard T*** is a lawyer. He first completed his diploma and then his doctorate in law at the University of H***stadt. He also has an additional postgraduate degree in law from P*** University in W***, Scotland. In addition, he started but did not complete a course to become a data protection officer at the Economic Development Institute of the Austrian Chamber of Commerce (WIFI). 1.4. The accused's line of business is "health care and diagnostic laboratory". The purpose of the company was to contribute to combating the Covid-19 pandemic and to ensure a return to normality through orders from various clients, both from the private sector and from the public sector. In connection with the conclusion of cooperation agreements and participation in state-wide and national tenders, the accused has grown steadily and, in terms of capacity, represents one of the strongest COVID laboratories in Z***. The areas of activity of the accused have become more extensive over time due to the increasing order situation. The accused employed an average of 200 employees and carried out around 45,000 individual PCR analyses every day in the winter of 2021/22. 1.5. Since June 11, 2021, the accused had held the trades of “organizational preparation and follow-up of virological tests on humans”, “business brokerage in the form of brokering orders for the performance of (genetic) tests between prescribed doctors, approved laboratories and private individuals who wish to use these services”, “commercial trade with the exception of regulated commercial trade and commercial agent” and “transport of goods by motor vehicles or motor vehicles with trailers whose maximum permissible total weight does not exceed 3,500 kg”. As of July 27, 2021, the accused also had a trade license for the trade of “manufacture and processing as well as rental of medical devices, insofar as these activities do not fall under another regulated trade, and trade in and rental of medical devices”. The accused held the business of "manufacturing medicines and poisons and wholesale trade in medicines and poisons" from August 21, 2021 and the business of "chemical laboratories" from August 16, 2021. The accused finally surrendered all trade licenses on February 26, 2024 and has not exercised them since then. 1.6. After surrendering the trade licenses, the accused stored the data records received in the course of her activity until they were deleted on March 21, 2024. 1.6. According to the accused's own statements, the turnover in 2023 was approximately EUR 4 million, taking into account that there was no operational activity from June 2023. 2. The findings are made on the basis of the following assessment of evidence: 2.1. The findings made in point 1.1. result from an official query of the commercial register for the commercial register number *32*9*n with historical data. 2.2. The findings made in point 1.2. arise on the one hand from a query of the commercial register on October 8, 2024 and on the other hand from the questioning of the accused on May 23, 2023 (see p. 4, GZ: D550.769; 2023-0.384.689). The finding that the data protection officer did not report is based on official knowledge and corresponds to the information provided by the accused during the questioning on May 23, 2023 (see p. 4, GZ: D550.769; 2023-0.384.689) The finding that the accused has not taken any active steps to prevent potential conflicts of interest arises from the answer to the question posed during the questioning of the accused on May 23, 2023 as to the extent to which the managing director the accused ensures "that there is no conflict of interest with your role as managing director in the company and as DSBA". Specifically, the accused responded to this as follows: "The client in this case is a public body. For the administration of the Covid pandemic, it is more constructive for us to combine the DSBA and the managing director in one person. Above all because communication with the client or the public body (Corona control center) has taken place." Active measures cannot be derived from this in any way. The accused also merely stated in her justification of September 3, 2024 that the dual role does not lead to any danger, because the managing director has the corresponding awareness and no constellation can be imagined in which a neglect of data protection obligations would have been indicated from a business point of view. However, the stated lack of necessity for the personal separation of functions cannot in any way be interpreted as an active step and this was not put forward either. 2.3. The findings made regarding the academic career of the managing director (point 1.3.) of the accused arise from the training documents of Dr. Edzard T*** enclosed as part of the justification dated July 3, 2023: confirmation of the academic success of the bachelor's degree in business law from the University of H***stadt; notice from the University of H***stadt regarding the award of the academic degree: Master of Laws dated August 2, 2017; certificate of the first diploma examination from the University of H***stadt dated January 29, 2015; certificate of the second diploma examination from the University of H***stadt dated February 7, 2017; certificate of the third diploma examination from the University of H***stadt; Confirmation of completion of the postgraduate course at P*** University dated November 5, 2020; certificate of doctoral studies dated September 5, 2019; email dated March 7, 2022 about the information from WIFI Z*** about the start of the online course for the event certified data protection officer. 2.4. Point 1.4. results from an official query of the commercial register for the commercial register number *32*9*n with the cut-off date of October 8, 2024, inspection of the annual financial statements and management report of the accused dated December 31, 2021 in conjunction with the statements made in the interrogation of the accused on May 23, 2023 (see p. 4f, GZ: D550.769; 2023-0.384.689). 2.5. The findings made on point 1.5. result from official queries about the accused's terminated businesses in the Austrian Business Information System (GISA) for the GISA figures: [Editor's note: a total of 7 GISA figures were given].2.6. Point 1.6. of the findings arise from the statement of the accused dated September 3, 2024 (“only special categories of data were stored until March 21, 2024”; “All data was deleted on March 21, 2024 by order of the accused person’s client”). 2.7. Point 1.7. of the findings arise from the document template sent by email by the accused dated August 26, 2024, which was accompanied by an email from the managing director of the accused to the legal representatives describing the economic situation, a period overview for the period 01 to 06 2024 concerning the accused and a period overview for the period 01 to 06 2024 concerning the shareholder of the accused. 3. Legally, this means: 3.1. On the scope of the GDPR and the jurisdiction of the data protection authority Article 83, paragraph 4, letter a of the GDPR stipulates that in the event of violations of the obligations under Articles 8, 11, 25 to 39, 42 and 43 of the GDPR, fines of up to EUR 10,000,000 or, in the case of a company, up to 2% of its total worldwide annual turnover of the previous financial year can be imposed, whichever is higher. According to Section 22, paragraph 5 of the Data Protection Act, the responsibility for imposing fines on natural and legal persons for Austria as the national supervisory authority lies with the Data Protection Authority. Consequently, the Data Protection Authority is also responsible for the administrative penal proceedings in question. 3.2. On the objective side of the matter Article 37 GDPR regulates the conditions under which the controller and the processor are obliged to appoint a data protection officer. Article 37 GDPR applies to both controllers and processors, independently of each other (see König in Knyrim, DatKomm Article 37 GDPR, paragraph 2). The data protection officer has a special role within the organization of the controller or processor. He must always be involved in data protection issues and must have the necessary resources and access to be able to fulfill his tasks (see Article 38 GDPR). The tasks of the data protection officer are standardized in Article 39 GDPR. The data protection officer is a "contact point" for supervisory authorities and is obliged to "cooperate with the supervisory authority" (Article 39 Paragraph 1 Letters d and e GDPR). The controller and the processor must in any case appoint a data protection officer if the core activities of the controller or processor consist of the processing on a large scale of special categories of data pursuant to Article 9 or of personal data relating to criminal convictions and offences pursuant to Article 10 (Article 37(1)(c) GDPR). Recital 97 states that the “core activities” of a controller refer to “its main activities and not to the processing of personal data as an ancillary activity”. “Core activities” can be considered to be the most important work processes that are necessary to achieve the objectives of the controller or processor. Nevertheless, the term “core activity” should not be interpreted as meaning that it does not also extend to activities in which the processing of data is an inseparable part of the activity of the controller or processor (see the guidelines of the Article 29 Data Protection Working Party WP 243 rev.01, p. 8). The guidelines on the data protection officer of the Article 29 Data Protection Working Party (WP 243 rev.01, available among other places at https://www.dsb.gv.at/europa-internationales/europaeischer_datenschutzausschuss_ edsa.html) do comment on this in 2.1.3, page 9, footnote 14, by referring to Recital 91 and deducing from this that the term refers to “large-scale processing operations […] that serve to process large amounts of personal data at regional, national or supranational level, could affect a large number of persons and - for example due to their sensitivity - are likely to involve a high risk”. Further guidance on what constitutes “large-scale data processing” can be found in accordance with the Guidelines on Data Protection Impact Assessment (DPIA) and on whether processing is “likely to result in a high risk” within the meaning of Regulation 2016/679, WP 248 Rev.01 (available at https://www.dsb.gv.at/europa- internationales/europaeischer_datenschutzausschuss_edsa.html, p.11), on page 9 of the Guidelines on the Data Protection Officer: “In any event, WP29 recommends that the following factors in particular be taken into account when determining whether the processing in question is carried out on a large scale: a) the number of data subjects – either as a specific number or as a proportion of the relevant population b) the volume and/or range of data being processed c) the duration or permanence of the data processing activity d) the geographical extent of the processing activity." Rough indications of extensive processing can also be given by the number of employees (who are entrusted with the processing of personal data) (see Löffler in Knyrim, Data Protection Law, para. 13.13). Recital 91 denies "extensive" processing of personal data if it is carried out by a single doctor or other member of a health profession or by a single lawyer. Examples of the scope of application of Art. 37 para. 1 lit. c GDPR include health care facilities, laboratories, advice centers, victim protection facilities and facilities for the resocialization of criminals (e.g. probation services, offender work) (see Bergauer in Jahnel, Commentary on the General Data Protection Regulation Art. 37 GDPR, para. 32). In view of the fact that the core activity of the accused was that of a "diagnostic laboratory" in connection with the Covid pandemic in Austria (specifically: in the federal state of Z***) and that at least in the winter of 2021/22 it carried out around 45,000 individual PCR analyses every day, i.e. in the processing of a large number of health data in accordance with Art. 9 Para. 1 GDPR, the accused employed an average of 200 employees and the areas of activity of the accused became more extensive over time due to the increasing order situation, it must be concluded that there is extensive processing of special categories of data in accordance with Art. 9 GDPR and that a data protection officer must therefore be appointed. This was not disputed by the accused in the course of the proceedings and a data protection officer was appointed - although this was not reported to the data protection authority. The only questionable - and contentious - period is therefore the period in which the obligation to appoint a data protection officer existed. As can be seen from the findings, the accused surrendered her business licenses on February 26, 2024, but claims that there was no longer any "operational activity" as of June 2023 and thus implicitly argues that the need to appoint a data protection officer ended in June 2023. The term "operational activity" can be found in the Austrian AIFMG, but without any legal clarification of what this means. In the AIFMD, this criterion is referred to as "general commercial or industrial purpose" (see Ley in Piska/Völkel, Blockchain rules, para. 12.15). However, the need to appoint a data protection officer is based exclusively on the "core activity" and not on any commercial or industrial purpose. Rather, the main activity can be derived from the acquired trade licenses in conjunction with the business purpose. The short name of the branch of business according to its own statement (Section 3 Paragraph 1 Item 5 FBG) is intended to describe the actual area of activity of the legal entity (see Potyka in Straube/Ratka/Rauter, UGB I 4 Section 3 FBG, paragraph 6). Why the core activity should therefore no longer exist with the alleged end of the operational business activity is incomprehensible and has no legal basis. As an interim result, it can therefore be stated that at least in the period from February 19, 2021 to February 26, 2023 (hereinafter "period of the offense"), an obligation to appoint a data protection officer was to be assumed. In addition to the mandatory appointment, it must also be taken into account that the appointment of the data protection officer satisfies the requirements of Art. 38 GDPR (“Position of the data protection officer”). Overall, Art. 38 GDPR is intended to enable the data protection officer to be able to fulfil his or her duties not only independently, but also effectively, as already mentioned at the beginning (cf. König in Knyrim, DatKomm Art. 38 GDPR, para. 1). Article 38 Paragraph 6 GDPR stipulates that the data protection officer can perform other tasks and duties. However, the controller or the processor must ensure that such tasks and duties do not lead to a conflict of interest (see König in Knyrim, DatKomm Article 38 GDPR). When such a "conflict of interest" exists is not defined in the GDPR itself. In general, conflicts of interest can arise from the nature of the activity or from the fact that there is no time left to perform the tasks of the data protection officer in accordance with Article 39 GDPR due to other tasks and duties (see König in Knyrim, DatKomm Article 38 GDPR, paragraph 35). In the case of ECJ C-453/21 of February 9, 2023, the ECJ has already commented on the question of whether a conflict of interest within the meaning of Art. 38 Para. 6 Sentence 2 exists if the data protection officer also holds the office of chairman of the works council formed in the responsible body and in the course of this stated that "firstly, it follows from the wording of the provision that the performance of the duties of the data protection officer and the performance of other duties at the responsible body or its processor are not in principle incompatible under the GDPR", but it must be ensured that these other tasks and duties do not lead to a "conflict of interest". Given the meaning of this expression in ordinary language usage, it can be assumed that, in accordance with the objective pursued by Art. 38 Para. 6 GDPR, the data protection officer may not be entrusted with the performance of tasks or duties that could impair the exercise of his position as data protection officer. The data protection officer may therefore not be assigned any tasks or duties that would cause him to determine the purposes and means of processing personal data by the controller or its processor, because the data protection officer must be able to monitor these purposes and means independently. However, whether a "conflict of interest" within the meaning of Art. 38 Para. 6 GDPR exists must be determined in each individual case on the basis of an assessment of all relevant circumstances, in particular the organizational structure of the controller or its processor, and in the light of all applicable legal provisions, including any internal regulations of the controller or processor (cf. Rs 40ff ibid). Even if the existence of a conflict of interest must always be examined on the basis of the specific individual case, there are offices and positions in companies where a conflict of interest will regularly be assumed based on tasks and duties (see Brinkmann, Data Protection Officers and Conflicts of Interest - The Danger of Incompatibility with Other Tasks and Offices, BB 2024, 54). This means that certain positions in the company will be incompatible with the position of data protection officer (see König in Knyrim, DatKomm Art 38 GDPR, para. 36). Examples of such positions where conflicts of interest can be expected include those in senior management, such as in the management board, the CFO and department heads (see Bergauer in Jahnel, Commentary on the General Data Protection Regulation Art. 38 GDPR, para. 35). But even if the data protection officer has an economic interest in the company's success, e.g. as a shareholder, a conflict of interest can be assumed (see Bergt in Kühling/Buchner, GDPR Art. 38, para. 41). If a potential conflict of interest is identified, appropriate measures must be taken to ensure that it does not occur. Depending on the purpose, size and structure of an organisation, the Article 29 Data Protection Working Party recommends the following in its Guidelines on the Data Protection Officer (WP 243 rev.01, available at https://www.dsb.gv.at/europa- internationales/europaeischer_datenschutzausschuss_ edsa.html) on page 19f to address “conflicts of interest” in the position of data protection officer: - “identify the positions that are incompatible with the function of a DPO, - establish internal policies to avoid conflicts of interest - provide a general explanation of potential conflicts of interest - declare that the DPO is not in a conflict of interest with regard to his function and thus raise awareness of this requirement - include safeguards in the internal policies of the organisation and ensure that the job advertisement for the position of a DPO or the relevant service contract for the purpose of Avoiding conflicts of interest is formulated sufficiently precisely and accurately. In this context, it should be noted that conflicts of interest can take different forms depending on whether the DPO is recruited internally or externally." In fact, the person appointed by the accused as data protection officer was also the managing director under commercial law and thus the body appointed to represent the company externally. In addition, the named person was even a shareholder of the accused until February 17, 2023. Due to his dual or triple role, the named person (the managing director and shareholder of the accused) could in any case not be qualified as a body independent of the accused that could carry out the task of monitoring compliance with the GDPR and the strategies of the controller or processor for the protection of personal data, including the allocation of responsibilities, raising awareness and training of the employees involved in the processing operations and the related checks. This meant that an independent control by the data protection officer to be carried out by the management was excluded in the present case. Rather, there was a type of self-control that was not accessible to an independent objective review by a third party. The fact that a conflict of interest existed due to the dual role was no longer disputed by the accused, who stated on September 3, 2024 that the accused person's managing director was not aware that a conflict of interest existed in this constellation. Although the accused believes that there is a possibility of resolving the potential for the conflict of interest through individual measures, this is contradicted by the fact that no measures - especially those that are effective externally - have been taken. The mere argument that the managing director has a corresponding awareness of data protection law does not constitute such a measure and is ultimately not convincing. Rather, it should be assumed that the controller himself has an awareness of data protection law. The objective elements of the offence are therefore met. 3.3. On the subjective side of the offence As already assumed by the data protection authority in its previous rulings, the ECJ has now explicitly stated that only violations of provisions of the GDPR that the controller commits culpably, i.e. intentionally or negligently, can lead to the imposition of a fine (cf. ECJ of December 5, 2023, C-807/21, para. 68). With regard to the subjective side of the offence, however, it must be taken into account that the requirement of culpability for the imposition of a fine under Art. 83 GDPR is to be interpreted autonomously within the Union and, in particular, to be assessed in the light of the case law of the ECJ. The ECJ also found on the question referred in relation to fault that the Union legislature had not granted the Member States any discretion in this context for national regulations, since the substantive requirements are conclusively regulated in Article 83 (1) to (6) GDPR (see also ECJ of December 5, 2023, C-683/21, para. 64 ff). Thus, the (national) provision under Section 5 of the Criminal Code does not apply in relation to fault. On the crucial question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such fault already exists if the accused could not have been unaware of the illegality of his conduct, regardless of whether he was aware that he was violating the provisions of the GDPR (see ECJ C-807/21, para. 76). Referring to further case law, the ECJ also expressly made it clear that the application of Art. 83 GDPR to legal persons does not require any action or even knowledge on the part of the management body of that legal person (see ECJ of December 5, 2023, C-807/21, para. 77). Furthermore, with regard to liability for fines under Article 83 GDPR, the ECJ fundamentally stated that controllers “must not only take appropriate and effective measures, but must also be able to demonstrate that their processing activities are in line with the GDPR and that the measures they have taken to ensure this compliance are also effective. It is this liability that forms the basis for imposing a fine on the controller under Article 83 GDPR in the event of one of the violations referred to in Article 83 (4) to (6) GDPR” (ECJ C-807/21, para. 38). With regard to the violation of the obligation for the controller or processor to ensure that there are no conflicts of interest in the performance of other tasks and duties of the data protection officer, the accused was therefore subject to an obligation to make enquiries.In this context, it should be noted that the website of the Data Protection Authority contains extensive information on the data protection officer (see www.dsb.gv.at), in particular reference is made to the “Guide to Regulation (EU) 2016/679” provided by the Data Protection Authority (available at https://www.dsb.gv.at/recht- entscheidungen/gesetze-in-oesterreich.html). Furthermore, the website of the European Data Protection Board contains comprehensive guidelines on the data protection officer (“Guidelines on the data protection officer of the Art. 29 Data Protection Working Party (WP 243 rev.01), available at https://www.dsb.gv.at/europa- internationales/europaeischer_datenschutzausschuss_ edsa.html”), which have already been cited several times in this decision. These explain in detail, among other things, when a conflict of interest is to be assumed and which measures can be used to address a conflict of interest. The European Data Protection Board has also published a guide for small and medium-sized enterprises (SMEs) with a series of recommendations, including specific ones on the role of the data protection officer (available in German at: https://www.edpb.europa.eu/sme- data-protection-guide/data-protection-officer_de). Finally, however, it should also be noted that the wording of Art. 38 Para. 6 GDPR makes it clear that the controller must ensure that there is no conflict of interest in this role. The accused therefore acted culpably in any case because she did not deal with her obligations, although this would have been reasonable and possible for her to do so. This would have been easy for the accused, because she claims to have a corresponding data protection awareness in the form of her managing director. In the light of the case law of the ECJ, the accused could not have been unclear about the illegality of her conduct, regardless of whether she was aware that she was violating the provisions of the GDPR (cf. ECJ C-807/21, paras. 76 and 77; ECJ C- 683/21, paras. 81 and 82 with further references). The accused was ultimately also understanding and stated that the accused person was not aware that there was a conflict of interest in this constellation. In addition, the accused recognized the accusation and apologized for it. There is therefore in any case fault in the form of negligence in the present case. This also fulfills the subjective aspect of the offense. 4. The following should be noted regarding the sentencing: 4.1. General information on sentencing According to Article 83 (1) GDPR, the supervisory authority must ensure that the imposition of fines for violations of the provisions of the GDPR subject to sanctions (Article 83 (4), (5) and (6) GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Article 83 (2) GDPR stipulates that when deciding on the imposition of a fine and on its amount, certain criteria must be duly taken into account in each individual case. When determining the penalty, the data protection authority has applied the EDSA guidelines on the calculation of administrative fines under the GDPR (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1 of May 24, 2023 - hereinafter "Fines Guidelines"). The provision under Section 19 (1) VStG does not apply, since the determination of the penalty is also conclusively regulated by Article 83 (2) GDPR and there is no discretion left for the Member States (see ECJ December 5, 2023, C-807/21, para. 45; see also the recent decision of the BVwG of June 3, 2024, GZ: W292 2282284-1). According to Article 83(4) GDPR, in the event of the infringements referred to therein, in accordance with paragraph 2, fines of up to EUR 10,000,000 or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher, shall be imposed. The term turnover in Article 83 (4), (5) and (6) GDPR is to be understood in the sense of Article 2 (5) of Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (hereinafter referred to as "Directive 2013/34/EU"). Turnover is the sum of all goods and services sold. Net turnover is the amount resulting from the sale of products and the provision of services after deduction of sales reductions and value added tax (VAT) and other taxes directly related to turnover (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1, para. 128 ff). 4.2. In the matter In view of the Fines Guidelines, the accused is classified in the second lowest category (“undertakings with a turnover of between EUR 2 million and EUR 10 million”) in relation to its turnover, which it estimated at EUR 4 million for the 2023 financial year, and in relation to the imposition of an effective, dissuasive and proportionate fine. This classification takes due account of the size of the company, in particular to ensure the proportionality of the fine. According to Article 83 (4) GDPR, the penalty range in the specific case is up to an amount of EUR 10,000,000 (static penalty range). The dynamic penalty range (2% of annual turnover) does not apply. In light of the facts assumed to be proven and taking into account the nature, severity and duration of the violation (Article 83 (1)(a) GDPR), the intentional or negligent nature of the violation (Article 83 (2)(b) GDPR) and the categories of personal data affected by the violation (Article 83 (2)(g) GDPR), the data protection authority considers the seriousness of the infringement to be low (“low level of seriousness”). In relation to the present case, the following was also taken into account as a mitigating factor when determining the sentence (in addition to the criteria already considered above for the degree of severity): The accused has not committed any relevant violations to date and is therefore innocent (cf. Art. 83 para. 2 lit. e GDPR). The accused cooperated in the investigation in question and thereby made a contribution to finding the truth. The accused admitted to the data protection authority that she had disregarded her obligation (confession) (cf. Art. 83 para. 2 lit. f and lit. k GDPR). This was taken into account as a mitigating factor. According to the established case law of the Administrative Court, considerations of special prevention and general prevention may also be taken into account when determining the penalty (cf. Administrative Court 15.5.1990, 89/02/0093, Administrative Court 22.4.1997, 96/04/0253, Administrative Court 29.1.1991, 89/04/0061). Article 38 of the GDPR is intended to enable the data protection officer to perform his duties not only independently, but also effectively. As explained above, the accused violated this provision insofar as it did not ensure that the data protection officer did not come into a conflict of interest when performing other tasks and duties. The imposition of the specific fine was therefore necessary in the sense of general prevention in order to sensitize those responsible and processors in this context by appointing a data protection officer. The data protection authority assumes that the accused will refrain from committing such an infringement again in the future. Therefore, in the opinion of the data protection authority, there are no special preventive reasons. The penalty imposed in the result of EUR 5,000 therefore appears to be appropriate to the offence and the guilt in view of the realised injustice, measured against the available penalty range of Art. 83 Para. 4 GDPR. An (even) lower amount would not meet the central criteria of Art. 83 Para. 1 GDPR (effective, deterrent and proportionate).