BlnBDI (Berlin) - 20.09.2022: Difference between revisions

From GDPRhub
No edit summary
(3 intermediate revisions by 2 users not shown)
Line 61: Line 61:
}}
}}


The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for violating [[Article 38 GDPR|Article 38(6) GDPR]] due to the conflict of interest of their DPO by independently monitoring decisions made in their capacity as an executive of the company.  
The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for violating [[Article 38 GDPR|Article 38(6) GDPR]] due to the conflict of interest of their DPO who independently monitored decisions made in their capacity as an executive of the company.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and executive orders.  
The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and carried out orders.  


In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.  
In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.  
Line 75: Line 75:
[[Article 37 GDPR|Article 37(6) GDPR]] makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves.  
[[Article 37 GDPR|Article 37(6) GDPR]] makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves.  


The Acting head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to [[Article 38 GDPR#3|Article 38(3) GDPR]].
The Acting Head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to [[Article 38 GDPR#3|Article 38(3) GDPR]].


In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not legally binding.
In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not yet legally binding as it can be appealed.


== Comment ==
== Comment ==

Revision as of 15:28, 28 September 2022

BlnBDI - Berlin DPO Conflict of Interest
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 38(6) GDPR
Article 38(6) DS-GVO
Type: Other
Outcome: n/a
Started:
Decided:
Published: 20.09.2022
Fine: 525,000 EUR
Parties: n/a
National Case Number/Name: Berlin DPO Conflict of Interest
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: BInBDI (in DE)
Initial Contributor: Sainey Belle

The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for violating Article 38(6) GDPR due to the conflict of interest of their DPO who independently monitored decisions made in their capacity as an executive of the company.

English Summary

Facts

The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and carried out orders.

In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.

A warning against the controller was issued by the BlnBDI in 2021. However, after conducting a renewed inspection, it found that the violation continued despite the warning.

Holding

Article 37(6) GDPR makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves.

The Acting Head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to Article 38(3) GDPR.

In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not yet legally binding as it can be appealed.

Comment

This summary was written based on a press release, as the official decision has not been published yet.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

PRESS RELEASE
Berlin, September 20, 2022





Conflict of interest of the company data protection officer: 525,000 euros fine

against the subsidiary of a Berlin e-commerce group


The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has against the

Subsidiary of a Berlin trading group fined 525,000 euros

of a conflict of interest imposed by the company data protection officer. The enterprise
had appointed a data protection officer who was to independently monitor decisions

whom he had met in another capacity. The fine is not yet final.



Company data protection officers have an important task: They advise the company
with regard to data protection obligations and monitor compliance

Privacy Policy. According to Art. 38 Para. 6 Sentence 2 data protection

Basic Regulation (DS-GVO) only exercise persons who do not have any conflicts of interest
subject to other duties. This would be, for example, for people with managerial positions in

This is the case for companies that have the authority to make decisions about the processing of data

meet personal data in the company. The task must therefore not be carried out by persons

are perceived, which would thereby monitor themselves.


According to the BlnBDI, there was a conflict of interest in the case of a data protection officer

Subsidiary of a Berlin e-commerce group. The person was at the same time
Managing directors of two service companies who work on behalf of exactly that company

processed personal data for which he worked as data protection officer. This

Service companies are also part of the group; provide customer service and
execute orders.






Berlin Commissioner for Data Protection Phone: 030 13889-900 Email: presse@datenschutz-berlin.de

and Freedom of Information (BlnBDI) Fax: 030 215 50 50 Website: www.datenschutz-berlin.de
Friedrichstr. 219, 10969 Berlin Responsible: Simon Rebiger
Entrance: Puttkamerstr. 16-18 Office: Cristina Vecchi The data protection officer therefore had to ensure compliance with data protection law by the

monitor the service companies active in order processing, which he himself considers
directors were managed. In this case, the BlnBDI saw a conflict of interest and thus

a violation of the General Data Protection Regulation.


The supervisory authority therefore initially issued a warning against the company in 2021.
After a re-examination this year revealed that the violation despite the warning

persisted, the BlnBDI imposed the fine, which is not yet legally binding.


Volker Brozio, Acting Head of the BlnBDI: “This fine underlines the

important role of data protection officers in companies. A data protection officer can
not on the one hand monitor compliance with data protection law and on the other hand about it

co-decide. Such self-regulation contradicts the function of a data protection officer,

which is supposed to be an independent body responsible in the company for compliance with the
data protection."


When assessing the fine, the BlnBDI took into account the three-digit million turnover of the e-

Commerce Group in the previous fiscal year and the significant role of the
Data protection officer as contact person for the large number of employees and customers.

The intentional re-appointment of the data protection officer via fast was also taken into account

one year despite the warning already issued. Among other things, classified that that
Company worked extensively with the BlnBDI and reported the violation during the

ongoing fine proceedings.


“To avoid data breaches, companies should avoid any dual roles of the

company data protection officers in corporate structures for conflicts of interest,” says
Brozio. "This applies in particular when order processing or joint

Responsibilities exist between the group companies.”





















                                                                                              Page 2 of 2