The Austrian Data Protection Authority (“DSB”) has imposed a 5000 euro fine on a company for appointing its managing director as its data protection officer (“DPO”). As there was no assurance that the performance of other tasks and duties of the DPO would not lead to a conflict of interest, the company had therefore violated its duty in accordance with Art. 38.6 GDPR by appointing its managing director.
Case background
The company in question operated in the medical sector, running a diagnostic laboratory during the Covid-19 pandemic. It provided testing services for both public and private clients and became a strong Covid laboratory in terms of capacity with an average of 200 employees.
In 2021, the managing director was appointed DPO. However, this was not reported to the DSB. Additionally, the company did not take any measures to ensure that the role of managing director and DPO would not be subject to potential conflicts of interest.
Legal framework
Under Article 37(1) GDPR, a Data Protection Officer (DPO) must be appointed if a controller’s or processor’s core activities involve large-scale processing of sensitive data (Article 9 GDPR), personal data related to criminal offences (Article 10 GDPR), or require regular and systematic monitoring of data subjects. Factors such as the scope, scale, and nature of data processing, along with the number of employees handling personal data, help determine whether a DPO is mandatory.
Article 38 GDPR requires a DPO to operate independently, free from conflicts of interest, with sufficient resources to fulfill their role. A conflict of interest arises when the DPO’s other duties compromise their ability to independently oversee data protection. Senior management, CFOs, department heads, and shareholders are typically considered incompatible with the DPO role due to potential conflicts.
The decision
The DSB states that, given the company’s large-scale processing of health data, it was mandatory for the company to appoint a DPO. However, the company failed to report this to the DSB, as well as improperly appointing its managing director, who was also a shareholder, and therefore, could not be deemed to be independent.
In its defence, the accused company claimed that the managing director was fully aware of his dual roles and that there had been no risk of him neglecting his DPO obligations. According to the company, this arrangement was more efficient throughout the pandemic. However, the DSB emphasized that Controllers must ensure that the DPO role remains free from conflicts of interest. Regardless of whether the company recognized its GDPR violation, it would have been aware of the unlawfulness of its actions and, therefore, failed in its duty.
Consequently, this appointment was unlawful, and the company had appointed an unsuitable DPO due to the inherent conflict of interest.
Key takeaways
This case can be seen as an important reminder for entities handling large-scale personal data processing to carefully assess the compatibility of a DPO’s position with other roles within the company in order to maintain compliance with the provisions of GDPR.
To ensure GDPR compliance, companies should implement internal policies and procedures to define roles and responsibilities in order to identify potential conflicts of interest. Additionally, companies must ensure that the appointed DPO has sufficient independence, resources, and authority to perform its duties effectively.
