Kneppelhout & Korthals: Data Protection Officer cannot have dual positions02/21/2017
A company in Germany was warned by the German privacy watchdog for the fact that its Data Protection Officer (DPO) was also the IT manager from that company. According to the German Privacy Act, a company that employs more than 10 people who are concerned with processing personal data is obliged to appoint a DPO. A company can appoint an employee as DPO or hire an external DPO.
The German privacy watchdog has ruled that a DPO cannot have another position within the company, such as being the IT manager. This dual position is incompatible according to the watchdog as a DPO is basically evaluating and monitoring himself.
The judgment of the German privacy watchdog is interesting when looking at the renewed, upcoming Dutch Data Protection Act (Algemene Verordening Gegevensbescherming, AVG). The AVG states that certain undertakings, including government institutions and organizations who process personal data on a large scale, monitor individuals or undertakings that record sensitive information such as health-related or religious data, have to appoint a DPO. With the judgment from the German privacy watchdog and the upcoming AVG in mind, these undertakings should really consider who will be appointed as DPO as the legislation states that tasks and duties from a DPO cannot result in a conflict of interest.
Undertakings have to take into account that the Dutch privacy watchdog (Autoriteit Persoonsgegevens, AP), like its German equivalent, has to assure the independence of the DPO and may impose fines if the AP judges that one can speak of conflict of interest. Keep an eye out on who you appoint as DPO.