Germany: The role of the DPO and conflicts of interest
Generally, there must be no conflict of interest when a data protection officer ('DPO') is assigned by a controller or processor. Under Article 38(6) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the controller or processor shall ensure that any other tasks and duties that they undertake do not result in a conflict of interest for the DPO. Dr. Carlo Piltz, Attorney at Law at reuschlaw Legal Consultants, provides a summary of what constitutes a conflict of interest for a DPO in Germany, and how to avoid such conflicts.
The GDPR is now directly applicable in all Member States. Before the GDPR applied, the prohibition of conflict of interest for the DPO was already enshrined in German data protection law. In particular, under the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') has stated that the personal integrity of the DPO must be ensured. In the case of in-house DPOs, this means, for example, that the basic employment relationship with the function of the DPO must not contain any conflicts of objectives or interests. In the case of an external appointment, the company offering the DPO service must also not have any conflicts of interest because the absence of a conflict of interest is closely linked to the need for independence. Concrete examples of conflicts of interests are if the DPO is the owner, director, partner, chief executive, manager, chairman of the board, managing director, or any other legally or constitutionally appointed director of the company/agency/association.
In 2016, for example, the Data Protection Authority of Bavaria for the Private Sector ('BayLDA') imposed a fine on a company because the company's DPO had a conflict of interest. According to the BayLDA, such a conflict of interest existed because the DPO of a Bavarian company also held the position of the IT manager in the same company. Holding such an exposed position with regard to the data processing activities of a company is generally incompatible with the tasks of a DPO. This would logically conclude with one of the relevant function holders in the company undertaking a data protection inspection of themselves and such a form of self-inspection contradicts the DPOs role.
Furthermore, holding the roles of both DPO and money laundering officer are, in the view of the authorities, not permitted. Moreover, it is impermissible for a company that has represented the data controller or processor in IT matters in a significant manner to also provides the services of the external DPO, even if another employee held the position of DPO.
Potential family conflicts of interest should also be taken into account, such as when the DPO is related by blood or marriage to the managing director.
In addition, the managing director of a company cannot be the DPO of the company. A managing director of a company is responsible for the business management of the company and these goals are not necessarily congruent with the goals of a company DPO, and are in fact often in conflict with each other. Furthermore, with reference to public bodies, the LfDI Baden-Württemberg has outlined that the DPO for a school shall not be outsourced to the school administration. On the one hand, this could lead to conflicts of interest, and on the other hand, the LfDI Baden-Württemberg sees a problem in this case when the school DPO is not directly integrated into the daily school routine.
The Thuringia data protection authority activity report 2018 states that conflicts of interest can always arise when the DPO simultaneously performs tasks in the areas of personnel, legal, automated data processing, IT, organisational units with particularly extensive or sensitive processing of personal data, as a security officer, or if he/she is Chairman of the Works Council. In particular, the latter seems to contrast with the recent judgement that the Saxony State Labour Court issued, on 19 August 2019, its decision No. 9 Sa 268/18.
In the opinion of the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information, conflicts of interest are to be expected above all when positions of senior management are held at the same time or the fields of activity involve the determination of purposes and means of data processing.
The Article 29 Working Party underlines, in its Guidelines on DPOs, the following safeguards are to enable the DPO to act in an independent manner:
- the controllers or the processors should not issue instructions regarding the exercise of the DPO's tasks;
- the controller must not dismiss or penalise the DPO for the performance of their tasks; and
- there should be no conflict of interest with other possible tasks and duties.
The other tasks and duties of a DPO must not result in a conflict of interest. This means, firstly, that the DPO cannot hold a position within the organisation that leads him/her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each company, this has to be considered on a case by case basis.
As a general rule, one should consider conflicting positions within the organisation to include senior management positions, including chief operating officer, chief financial officer, chief medical officer, the head of marketing department, or the head of Human Resources, but it is important to note that other roles lower down in the organisations hierarchical structure may also be in conflict if such positions or roles lead to the determination of purposes and means of processing.
Dr. Carlo Piltz Attorney at Law
reuschlaw Legal Consultants, Berlin