Data protection fine for insufficient involvement – Supervisory authorities monitor the position of the data protection officer

von Nadja-Maria

Position of the data protection officer

Articles 38 and 39 of the General Data Protection Regulation provide legal guidelines for the cooperation between the controller and the data protection officer. In practice, there are some differences between the appointment of an internal and an external data protection officer. However, the following points in particular are mandatory in all cases:

Early involvement

The data protection officer must be involved at an early stage in all issues relating to the protection of personal data. This is an obligation on the part of the controller, who must ensure that the data protection officer is notified of his or her own accord. In this context, early means at a point in time at which the data protection officer’s assessments can still be properly taken into account in the planning of a processing operation.

Freedom from instructions

The data protection officer performs his or her duties in accordance with the General Data Protection Regulation without being bound by instructions. The data controller is therefore prohibited from influencing the content of the data protection officer’s advice and audit results.

Right to report

The data protection officer reports directly to the highest management level. It is therefore not permissible for the reports of the data protection officer to have to be reviewed and, if necessary, approved by subordinate units.

Advising data subjects

The tasks of the data protection officer also include advising data subjects on data processing and their rights under the General Data Protection Regulation. The controller is in turn obliged to actually enable this advisory activity. For example, he must provide the necessary resources and, as stipulated in Art. 37 (7) GDPR, publish the contact details of the data protection officer.

Pursuant to Art. 83 (4) (a) GDPR, a fine of up to 10 million euros or 2% of the annual turnover may be imposed for violations of the requirements of Art. 38 and 39 GDPR by the controller.

Data protection fine of 15,000 euros

The fact that these regulations are not toothless tigers, but are to be taken quite seriously and implemented in practice, is shown by the fine imposed by the data protection supervisory authority in Luxembourg. In the course of an inspection of a company, the authority found deficiencies in the implementation of Art. 38 and Art. 39 of the GDPR and imposed a fine of 15,000 euros.

Specifically, the supervisory authority found fault in particular with the fact that the data protection officer did not report to the highest management level in contravention of Art. 38 (3) of the GDPR, was not sufficiently qualified and was not appropriately involved in all issues relating to the protection of personal data.

Data protection fine: Amount

Especially when compared to the recent fine against Amazon (we reported), 15,000 euros does not seem particularly spectacular. However, when classifying the amount of the fine, it is important to note that the supervisory authority generally refers to the assessment criteria of Article 83 (2) of the GDPR in its statement regarding the amount of the fine. Therefore, it cannot be readily assessed here which factors may have been used to mitigate the penalty.

Significance of the supervisory authority’s decision on the data protection fine

It should be noted that the data protection supervisory authorities examine all requirements for companies arising from the General Data Protection Regulation and, if necessary, also impose penalties. In addition, the mere appointment of the data protection officer is not sufficient. Rather, the data protection officer must also be enabled in practice to fulfill his or her auditing and advisory function comprehensively and free of instructions.

 

We will be happy to support you with any questions you may have about data protection. Simply call us at our headquarters in Hutthurm at +49 (0) 8505 91927 – 0 or at our branch in Munich at +49 (0) 89 413 2943 – 0 or use our contact form.

assets/images/e/Nadja-Maria-Becke-1-e4dcbac5.jpg
Nadja-Maria

Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.