German Data Protection Authority fined a company for having the IT manager appointed as Data Protection Officer – A greater risk under the European General Data Protection Regulation?
According to the German Federal Data Protection Act (“FDPA”) companies must appoint a Data Protection Officer (“DPO”) if (inter alia) at least ten persons are involved in the automated processing of personal data. Companies may choose to appoint an employee of the company as an internal DPO or may appoint a professional data privacy advisor as an external DPO. The appointed DPO must possess the necessary knowledge of data protection law and must be reliable and independent. According to the current interpretation of the FDPA reliability and independency also include that the DPO may not have other duties which conflict with the monitoring obligations of the DPO under the FDPA.
The Bavarian Data Protection Authority (“BayLDA”) saw such a conflict of interest because the appointed internal DPO also acted as the IT manager of the company. The BayLDA argued that the position of an IT manager is incompatible with the position of the DPO because the DPO would be required to monitor himself, i.e. whether his activities as IT manager are in compliance with the data protection law. Such self-monitoring contradicts the required independency that is expected from the DPO.