BlnBDI (Berlin) - 20.09.2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color= |DPAlogo=LogoDE-BE.png |DPA_Abbrevation=BlnBDI |DPA_With_Country=BlnBDI (Berlin) |Case_Number_Name=Berlin DPO Conflict...")
 
(The text is clearer when assigning GDPR 'roles' to the parties and referring to them throughout the summary, such as 'the controller' or 'the complainant', in the short summary please also mention the relevant GDPR Article, I also made some changes in the structure of the facts. The holding part was very clear and well explained with good layout. Try to use active voice as much as possible instead or passive sentences and stick to using Past Simple as a tense.)
Line 61: Line 61:
}}
}}


The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for a conflict of interest on part of the Controllers data protection officer who was independently monitoring decisions he had made in his capacity as an executive of a company.
The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for a conflict of interest on part of the DPO who was independently monitoring decisions made in his capacity as an executive of the company, in violation of [[Article 38 GDPR|Article 38(6) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group was at the same time the managing director of two service companies which processed data on behalf of the retail group. These service companies were also part of the group which provided customer service and executive orders.  
The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and executive orders.  


A warning was issued by the supervisory authority in 2021 against the retail group, however, a renewed inspection was conducted and it was found that the violation continued despite the warning.  
In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.  


In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.  
A warning against the controller was issued by the BlnBDI in 2021. However, after conducting a renewed inspection, it found that the violation continued despite the warning.  


=== Holding ===
=== Holding ===
Article 37(6) GDPR makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, any tasks shall not be performed by individuals who would thereby monitor themselves.
[[Article 37 GDPR|Article 37(6) GDPR]] makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves.  
 
The Acting head of the BInBDI reaffirmed the importance of ensuring the DPO remains an independent body that works towards compliance. Monitoring decisions made by oneself contradicts the core essence of a DPO. A DPO must essentially act independent to the Controller or Processor pursuant to [[Article 38 GDPR#3|Article 38(3) GDPR]].


In imposing the fine, the BInBDI took into account the retail groups hundreds of millions of euros turnover in the preceding financial year, the role of a DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Despite the points illustrated above, the retail groups extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine.
The Acting head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to [[Article 38 GDPR#3|Article 38(3) GDPR]].


The fine, however, is not legally binding.  
In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not legally binding.


== Comment ==
== Comment ==

Revision as of 09:26, 28 September 2022

BlnBDI - Berlin DPO Conflict of Interest
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 38(6) GDPR
Article 38(6) DS-GVO
Type: Other
Outcome: n/a
Started:
Decided:
Published: 20.09.2022
Fine: 525,000 EUR
Parties: n/a
National Case Number/Name: Berlin DPO Conflict of Interest
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: BInBDI (in DE)
Initial Contributor: Sainey Belle

The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for a conflict of interest on part of the DPO who was independently monitoring decisions made in his capacity as an executive of the company, in violation of Article 38(6) GDPR.

English Summary

Facts

The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and executive orders.

In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.

A warning against the controller was issued by the BlnBDI in 2021. However, after conducting a renewed inspection, it found that the violation continued despite the warning.

Holding

Article 37(6) GDPR makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves.

The Acting head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to Article 38(3) GDPR.

In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not legally binding.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

PRESS RELEASE
Berlin, September 20, 2022





Conflict of interest of the company data protection officer: 525,000 euros fine

against the subsidiary of a Berlin e-commerce group


The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has against the

Subsidiary of a Berlin trading group fined 525,000 euros

of a conflict of interest imposed by the company data protection officer. The enterprise
had appointed a data protection officer who was to independently monitor decisions

whom he had met in another capacity. The fine is not yet final.



Company data protection officers have an important task: They advise the company
with regard to data protection obligations and monitor compliance

Privacy Policy. According to Art. 38 Para. 6 Sentence 2 data protection

Basic Regulation (DS-GVO) only exercise persons who do not have any conflicts of interest
subject to other duties. This would be, for example, for people with managerial positions in

This is the case for companies that have the authority to make decisions about the processing of data

meet personal data in the company. The task must therefore not be carried out by persons

are perceived, which would thereby monitor themselves.


According to the BlnBDI, there was a conflict of interest in the case of a data protection officer

Subsidiary of a Berlin e-commerce group. The person was at the same time
Managing directors of two service companies who work on behalf of exactly that company

processed personal data for which he worked as data protection officer. This

Service companies are also part of the group; provide customer service and
execute orders.






Berlin Commissioner for Data Protection Phone: 030 13889-900 Email: presse@datenschutz-berlin.de

and Freedom of Information (BlnBDI) Fax: 030 215 50 50 Website: www.datenschutz-berlin.de
Friedrichstr. 219, 10969 Berlin Responsible: Simon Rebiger
Entrance: Puttkamerstr. 16-18 Office: Cristina Vecchi The data protection officer therefore had to ensure compliance with data protection law by the

monitor the service companies active in order processing, which he himself considers
directors were managed. In this case, the BlnBDI saw a conflict of interest and thus

a violation of the General Data Protection Regulation.


The supervisory authority therefore initially issued a warning against the company in 2021.
After a re-examination this year revealed that the violation despite the warning

persisted, the BlnBDI imposed the fine, which is not yet legally binding.


Volker Brozio, Acting Head of the BlnBDI: “This fine underlines the

important role of data protection officers in companies. A data protection officer can
not on the one hand monitor compliance with data protection law and on the other hand about it

co-decide. Such self-regulation contradicts the function of a data protection officer,

which is supposed to be an independent body responsible in the company for compliance with the
data protection."


When assessing the fine, the BlnBDI took into account the three-digit million turnover of the e-

Commerce Group in the previous fiscal year and the significant role of the
Data protection officer as contact person for the large number of employees and customers.

The intentional re-appointment of the data protection officer via fast was also taken into account

one year despite the warning already issued. Among other things, classified that that
Company worked extensively with the BlnBDI and reported the violation during the

ongoing fine proceedings.


“To avoid data breaches, companies should avoid any dual roles of the

company data protection officers in corporate structures for conflicts of interest,” says
Brozio. "This applies in particular when order processing or joint

Responsibilities exist between the group companies.”





















                                                                                              Page 2 of 2