Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.
Recent enforcement actions by the Bavarian Data Protection Authority (DPA) [Bayerisches Landesamt für Datenschutzaufsicht] highlight the importance of severe restrictions placed on the transfer of such data, even in the context of a merger/acquisition deal scenario. Specifically, on July 30, 2015 the Bavarian DPA announced that it has fined two companies, both the seller and the acquirer, in an asset deal with a five figure EUR sum for transferring customer e-mail-addresses collected during operating an online shop in violation of the German Federal Data Protection Act. Clients should expect to see more of these actions in the future, given the Bavarian DPA’s announcement that it will pay increased attention to data protection compliance in asset deals and shall accordingly monitor and fine the companies breaching the legal requirements with more persistence.