BlnBDI (Berlin) - Berlin DPO Conflict of Interest
|BlnBDI - Berlin DPO Conflict of Interest|
|Relevant Law:||Article 38(6) GDPR|
Article 38(6) DS-GVO
|National Case Number/Name:||Berlin DPO Conflict of Interest|
|European Case Law Identifier:||n/a|
|Original Source:||BInBDI (in DE)|
|Initial Contributor:||Sainey Belle|
The Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for violating Article 38(6) GDPR due to the conflict of interest of their DPO who independently monitored decisions made in their capacity as an executive of the company.
English Summary[edit | edit source]
Facts[edit | edit source]
The Data Protection Officer (“DPO”) of a Berlin e-commerce retail group (the controller) was at the same time the managing director of two service companies which processed data on behalf of the controller. These service companies were also part of the group which provided customer service and carried out orders.
In carrying out their legal duties, the DPO had to monitor compliance with data protection laws by the service companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.
A warning against the controller was issued by the BlnBDI in 2021. However, after conducting a renewed inspection, it found that the violation continued despite the warning.
Holding[edit | edit source]
Article 37(6) GDPR makes clear that a controller or processor shall ensure that any tasks or duties designated to a DPO do not result in a conflict of interest. This would be the case for persons with executive decision making capabilities in the company but also tasked with making significant decisions relating to the processing of personal data. Accordingly, such tasks shall not be performed by individuals who would thereby monitor themselves.
The Acting Head of the BInBDI reaffirmed the importance of ensuring that the DPO remaines an independent body working towards compliance. Monitoring decisions made by themselves contradicts the core essence of a DPO. A DPO must essentially act independently to the controller or processor pursuant to Article 38(3) GDPR.
In imposing the fine, the BInBDI took into account the controller's hundreds of millions of euros turnover in the preceding financial year, the role of the DPO as the contact person for employees and customers alike and the deliberate continuation of the violation despite being warned. Nevertheless, the controller extensively cooperated with the BInBDI and stopped the violation during the ongoing fine proceedings. This culminated in a reduced overall fine of €525,000. The fine, however, is not yet legally binding as it can be appealed.
Comment[edit | edit source]
This summary was written based on a press release, as the official decision has not been published yet.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.