A Berlin company must pay a fine of 525,000 euros for violating the provisions of the General Data Protection Regulation – GDPR.
Fines for violating the GDPR should be proportionate, but also have a deterrent effect, explains lawyer Michael Rainer, MTR Rechtsanwälte. This is not just empty talk, as the subsidiary of a Berlin trading group found out. The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) imposed a fine of 525,000 euros on the company, as announced on September 20, 2022. The fine is not yet legally binding.
The reason is that the company appointed a data protection officer who was supposed to independently monitor decisions for which he was responsible in another role. This constitutes a clear conflict of interest for the data protection officer and thus also a violation of the GDPR, according to the BlnBDI.
Operational data protection officers have the important task of advising the company on data protection obligations and monitoring compliance with data protection regulations, explains the Berlin Data Protection Commissioner. Therefore, according to Art. 38 para. 6 sentence 2 GDPR, this function may only be performed by individuals who are not subject to a conflict of interest due to other tasks. Accordingly, the task must not be undertaken by individuals who supervise themselves.
However, exactly such a conflict of interest was present here, because the operational data protection officer was also the managing director of two subsidiaries of the group that processed the personal data for the trading company. This ultimately means that the data protection officer also had to monitor the compliance with data protection law by the subsidiaries, which he was managing director of. The Berlin Data Protection Commissioner sees this as a clear conflict of interest and initially issued a warning. Since the violation persisted despite the warning upon renewed review, she imposed the fine.
Turnover and the significant role of the data protection officer in the company were taken into account when assessing the fine.
The high fine shows that companies should not take the requirements of the GDPR lightly. Experienced lawyers can provide advice.
