A Berlin company has to pay a fine of 525,000 euros for violating the provisions of the General Data Protection Regulation – GDPR.
Fines for violations of the GDPR should be proportionate but also have a deterrent effect, explains lawyer Michael Rainer, MTR Rechtsanwälte. That these are not empty words was felt by the subsidiary of a Berlin trading group. The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) imposed a fine of 525,000 euros on the company, as announced on September 20, 2022. The fine is not yet final.
The reason is that the company appointed a data protection officer who was supposed to independently control decisions he was responsible for in another capacity. This constitutes a clear conflict of interest for the data protection officer and thus also a violation of the GDPR, according to the BlnBDI.
Company data protection officers have the important task of advising the company on data protection obligations and monitoring compliance with data protection regulations, explains the Berlin data protection commissioner. Therefore, according to Art. 38 para. 6 sentence 2 GDPR, this function may only be performed by persons who do not have a conflict of interest due to other tasks. The task must therefore not be taken over by persons who monitor themselves.
Exactly such a conflict of interest existed here, as the company data protection officer was also managing director of two subsidiaries of the group that processed personal data for the trading company. This ultimately means that the data protection officer also had to monitor the compliance with data protection law by the subsidiaries, i.e., companies of which he is the managing director. The Berlin data protection commissioner sees this as a clear conflict of interest and therefore initially issued a warning. Since the violation persisted despite the warning during a subsequent review, she imposed the fine.
Turnover and the significant role of the data protection officer in the company were taken into account when determining the fine.
The high fine shows that the requirements of the GDPR should not be taken lightly by companies. Experienced lawyers can provide advice.
