Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.
I. The Data Protection Officer in Germany
Under the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG“), companies with an establishment in Germany (e.g., local offices or employees) must appoint a DPO if they employ more than nine persons who engage in automated data processing. Automated data processing covers the collection, retention, analysis and/or sharing of personal data, which is broadly defined under German and European law to include most types of consumer and employee information. The DPO’s function is to monitor the company’s overall compliance with German and European data protection rules; the DPO cannot, however, issue mandatory instructions; rather, he or she can only assist the company to work towards data protection compliance. Companies may designate an internal or external individual as the DPO, provided that the individual is free from any conflict of interests.
II. Conflict of Interests for IT Managers
The BayLDA recently fined a company for appointing its internal IT manager as DPO. According to the BayLDA, an IT manager generally has a significant stake in setting up, managing and influencing data processing activities within a company. Indeed, the IT manager often oversees the selection and deployment of IT assets and tools, which themselves can be the subject of investigations (or violations) of data protection compliance. Therefore, the BayLDA found that the company’s IT manager was ill-suited to serve as DPO. A DPO should be an unbiased, independent person without direct or personal interests in the operations of the company’s data processing. According to the BDSG, a failure to comply with the requirement to appoint an adequate DPO holds the potential for administrative fines of up to EUR 50,000.
The BayLDA’s decision may come as a surprise to many companies. Appointing an IT manager to the DPO position makes some intuitive sense. An IT manager is a practical choice given the general requirement that DPOs have sufficient IT expertise to capably monitor the data privacy compliance of IT operations (which may include issues like international data transfers and security). This closeness in function, however, itself creates a possible conflict of interest, jeopardizing the necessary independence of the DPO. In other words, the BayLDA has opined that an IT manager cannot be placed in a position where he or she may, in essence, evaluate the precise IT infrastructure and systems for compliance with data privacy laws that he or she is responsible for in the first instance.
III. Potential Impact on Data Protection Officers Under the GDPR
In Germany, the role of the DPO is considered an effective tool for ensuring data privacy compliance within a company. The EU General Data Protection Directive (“GDPR“), which will come into force in May 2018 throughout Europe, will apply directly to all companies operating in the EU. The GDPR, like the BDSG (which is currently under revision to reflect the new GDPR rules), contains provisions requiring DPOs, where core activities either relate to the regular and systematic monitoring of data subjects on a large scale or encompass the processing on a large scale of special categories of data. It likewise requires that DPOs be independent and free from any conflicts of interest.
As a result, the decision of the BayLDA will certainly influence the future local German interpretation of the GDPR/BDSG rules and may also have broader implications in other EU Member States.
Companies required to appoint a DPO are thus well advised to carefully consider candidates that are free from conflicts of interest. While it does not appear necessary to preclude a DPO from having other corporate functions, the designated individual should not be in charge of, or have a personal stake in, significant decision-making relating to IT. One potential solution may be to “firewall” DPOs from such decision-making processes. Suffice it to say that this aspect of GDPR/BDSG compliance will be scrutinized heavily by German (and likely other) data protection authorities in the coming months and years.