Over €500.000 fine for a German e-Commerce company having appointed a DPO with a conflict of interest

The fine has been issued by the Berlin Supervisory Authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit – BlnBDI) on the 20^th of September to an e-Commerce company following to the identification of a conflict of interest among the roles of the appointed Data Protection Officer (DPO), as mentioned in the authority’s press release. The DPO was supposed to independently monitor decisions which he himself had made in another capacity. In the specific case the officer simultaneously covered the role of the  company’s DPO and managing director of two service companies of the group which processed personal data. The fine of €525.000 is not yet legally binding for the company.

The company had previously been warned

For the same company, the BlnBDI had already identified a conflict of interest (and thus a breach of the General Data Protection Regulation – GDPR) in 2021, and consequentially it formally warned the e-Commerce group. However, following another inspection carried out in 2022, the authority found that the violation was still ongoing despite the warning. For this reason, the authority decided to impose such an expensive fine, which at present is not yet final.

As pointed-out by the BlnBDI , Art. 38.6 of the GDPR explicitly mentions that: “the controller and processors [when appointing a DPO] shall ensure that any such tasks and duties do not result in a conflict of interests”. As a result, this function may only be carried-out by officers who are not subject to conflicts of interest due to other tasks.

The company under investigation had appointed as DPO a person who, in the role of managing director, could make significant decisions about the processing of personal data in the company, hence generating a conflict of interest.

In determining the amount of the fine, several factors were taken into consideration: the group’s turnover in the previous year and the fact that the Data Protection Officer would serve the interests of a large number of employees and customers as data subjects of the controller. In addition, the authority also took into account the fact that the DPO was deliberately appointed again for almost a year despite the warning received. On the other hand, when deciding on the amount, the BlnBDI  considered as mitigating factor the fact that the controller acted during the sanctioning procedure to remediate the incompliance.

Conclusion

Company Data Protection Officers have a prominent role for the enterprises and the public authorities that are regularly processing personal data: They advise the controllers and processors with regard to their data protection obligations and monitor compliance with the data protection regulations. The DPOs shall therefore not be  the same persons who have decision-making or monitoring powers on data protection matters within the entity.

As mentioned by the BlnBDI in the procedure, companies and public authorities should always check for conflicts of interest in any dual roles held by the DPO in order to avoid data protection violations, and this applies in particular when there are joint responsibilities between group companies.

Article 38 of the GDPR specifies that the DPO shall not receive any instructions from the controller or processor, as this is essential to ensure his or her autonomy of action. At the same time data controllers and processors shall make available to the DPO all the resources necessary to carry out the tasks independently.