In addition to external data protection officers, an employee may also be appointed (internal) data protection officer. However, you can find out here what restrictions apply and what the consequences of a violation may be.
Appointment of a data protection officer
Some companies are required to appoint a data protection officer. You can find out exactly which ones here.
In summary, a data protection officer's main task is to advise the company on its data protection obligations and to monitor compliance with data protection regulations. This task can be performed by someone internal who is already an employee of the company, or an external data protection officer can be hired. You can find out more about the differences between these options and the way an external data protection officer works by reading here.
Limitation: Conflict of interest
With regard to the appointment of a data protection officer, Art. 38 VI 2 GDPR imposes a restriction. The office of data protection officer may only be held by persons who are not subject to a conflict of interest due to other duties.
This problem arises particularly in the case of the company's own employees. For example, employees in managerial positions cannot act as data privacy officers for the company if they make significant decisions relating to the processing of personal data in the course of their work. There would then be a conflict of interest, since the employee would have to review his or her own decisions in his or her function as data protection officer, i.e., monitor himself or herself.
Example of conflict of interest from Berlin
The Berlin Commissioner for Data Protection and Freedom of Information recently imposed a fine of 525,000 euros on the subsidiary of a Berlin-based retail group because of a conflict of interest on the part of the corresponding data protection officer. The fine is not yet legally binding.
The person appointed by the company as data protection officer was also the managing director of two service providers who processed data as order processors for the company. These service companies were also part of the Group. The situation described above arose here. The data protection officer had to monitor and control activities that were carried out under him as managing director.
The acting head of the Berlin data protection commissioner's office summarized the problem as follows: "A data protection commissioner cannot, on the one hand, monitor compliance with data protection law and, on the other hand, make decisions about it. Such self-monitoring contradicts the function of a data protection officer, who is supposed to be precisely an independent authority working within the company to ensure compliance with data protection."
When imposing the fine, it was taken into account that the company had already been warned last year for the same facts.
You can also read more about this incident in the Press release of the Berlin data protection commissioner.
Tips for practice
The selection of a data protection officer must be well considered. Conflicts of interest can quickly arise in the case of internal officers, as a result of which the appointment would contradict data protection law.
This problem can be counteracted by appointing an external data protection officer. Learn more about the advantages of an external data protection officer here.
Contact usto get advice from our team of experts about the possibilities we can offer you as an external data protection officer!
English 
Deutsch 
Español 
Français 
Polski