In October the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht) fined a company for having an IT manager who also acted as the internal Data Protection Officer of the company.
According to the Bavarian DPA, the dual position of the employee constituted a conflict of interest as the internal DPO would, in this case, need to monitor his/her own activities and ensure that they are in compliance with current German and EU data protection regulation, something which is incompatible with the fundamental requisites of independence and reliability required of a DPO.
Following this logic, any employee of a company who is involved in data processing on a regular basis, such as marketing, HR, or legal officers, could have a conflict of interest with the position of DPO who is expected to monitor the relevant data processing independently to ensure compliance of the company with local and European regulations.
From May 2018, when the General Data Protection Regulation comes into force, companies will be required to appoint an internal Data Protection Officer. According to article 37 of the GDPR, the data protection officer should be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”.
While the Regulation does not specify that the DPO may not also have another role in the company, and indeed states that, the “data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract”, it would be wise for companies to refrain from appointing DPOs that, because of their other functions in the company, are also involved in taking decisions concerning automated processing of personal data such as the IT, marketing, HR, or legal departments, which could potentially have a conflict of interest as per the Bavarian DPA’s decision. Practically speaking, if the European Supervisory Authorities decide to take the view of the Bavarian DPA, in order for companies to fulfil the “independence” requirement, companies will have two choices: 1. to appoint a full-time DPO; 2. to appoint an external DPO.
For more information see Bayerisches Landesamt für Datenschutzaufsicht Press Release dated 20.10.2016 here.