20 October 16, the Bavarian State Office for Data Security Supervision (Bayerische Landesamt für Datenschutzaufsicht (BayLDA)) fined a company because of the combination of the roles of Data Protection Officer (DPO) and IT Manager that results in a conflict of interest.
Under German law, companies that process personal data are legally obligated to appoint an intern or an extern DPO if at least ten employees are involved in the automated processing of personal data. The role of the internal DPO cannot be exercised by a person who has tasks in the company, which are in a relationship of tension with the independent, effective internal supervision of data protection.
In 2011, the Düsseldorfer Kreis, a committee made up of representatives of German data protection authorities, already interpreted the issue of independence by restricting the other roles and responsibilities that the DPO can fulfil, such as the owner of the business, board members and the managing director. Also the combination of the role of DPO with potentially conflicting functions, such as IT and HR managers, would jeopardize the independence of the DPO. This interpretation is now partly confirmed by the BayLDA, that fined a company who assigned the role of DPO to an IT Manager. The combination of these roles would imply a form of self-control, which is in conflict with the independent role of a DPO.
Also under the General Data Protection Regulation (GDPR), DPO’s are granted significant independence in their job roles. They are allowed to perform other tasks and duties, provided that the combination of the different positions does not create a conflict of interest, and that sufficient time can be spent on fulfilling the role of DPO as required.
Companies can opt for an internal or an external DPO. The appointment of an external DPO is often an easy way to solve conflict of interest issues and challenges presented by the requirements for independence. Moreover, an external DPO should bring the legal and technical expertise that may not be available internally. Either way, a Data Protection Officer should at least be able to:
- Be designated based on professional qualities and expert knowledge
- Be involved in all aspects relating to data protection
- Perform his/her duties independently and without instructions
- Maintain confidentiality
