Conflict of interest of data protection officers
The subsidiary of an unnamed e-commerce group, received a fine because the data protection officer had a conflict of interest.
The employee who was appointed as data protection officer by the recipient of the fine was also managing director at 2 other companies belonging to the same group. His task was to review the activities of the two companies with regard to data protection. But that also meant that he would have had to review his own decisions. This constituted a violation of the provision of the GDPR that data protection officers must be able to perform their role free of conflicts of interest.
In 2021, the BlnBDI had already warned the company about this incident, but the recipient of the fine had not remedied the data protection violation. The penalty notice is currently not yet legally binding.
Art des Verstoßes:
inadequate data protection
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
38. Position of the data protection officer
Press release of the BlnBDI