Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Berlin: Berlin Commissioner fines retail group subsidiary €525,000 for DPO conflict of interest
The Berlin data protection authority ('the Berlin Commissioner') announced, on 20 September 2022, that it had issued a fine of €525,000 on the subsidiary of a Berlin-based retail group, for violations of Article 38(6) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation by the Berlin Commissioner.
Background to the decision
In particular, the Berlin Commissioner stated that, in this context, the company had appointed a data protection officer ('DPO') to independently monitor decisions they had made in another capacity. More specifically, the Berlin Commissioner highlighted that the individual was a managing director of two service companies under the same group, which processed personal data on behalf of the company for which they were a DPO in conducting customer service and executing orders. In this regard, the Berlin Commissioner specified that the DPO had to monitor compliance with data protection law by the service companies operating within the framework of commissioned processing, which were managed by them as managing director.
Findings of the Berlin Commissioner
Notably, the Berlin Commissioner found that a conflict of interest had arisen in contravention of Article 38(6) of the GDPR since the DPO had been in a position where they were acting as a DPO responsible for the data processing activities of companies they had been acting as a managing director for.
Outcomes
Ultimately, the Berlin Commissioner imposed a fine of €525,000 on the company, following an initial warning issued to the company in 2021; however, it noted that the fine is not yet legally binding.
You can read the press release here, only available in German.