Search for:

For part 1 click here.

Under the European General Data Protection Regulation (GDPR), which will start to apply on 25 May 2018, many companies will be required to appoint a Data Protection Officer (DPO). Violating the requirements relating to the appointment of a DPO can be sanctioned with fines of up to EUR 10 million or up to 2 percent of the total worldwide annual turnover, whichever is higher. So, who do you appoint as your DPO?

Companies may choose to appoint an employee of the company as an internal DPO or a professional data privacy advisor as an external DPO. The appointed DPO must have the necessary knowledge and expertise in data protection law and must be reliable as well as independent. When is a DPO reliable and independent? This is not always a straightforward question in practice and it makes sense to look at how this requirement is interpreted to date in Germany, where companies have long been required to appoint a DPO.

According to the current interpretation of the existing German data protection law, the DPO must not have any duties which conflict with the monitoring obligations of the DPO. The Bavarian Data Protection Authority (BayLDA) takes the position in its recent activity report (German only) that members of the legal department may in certain cases have a conflict of interest which disqualifies those individuals from acting as DPO. In particular, if the legal counsel may represent the company in a legal proceeding (especially with regard to legal actions against employees or customers, which may include data privacy related aspects), the legal counsel is subject to a conflict of interest and, therefore, not independent. This may reduce the potential internal candidates for the role of the DPO significantly: The Art. 29 Working Party stated recently that individuals with a senior management position, such as chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments can have a conflict of interest and are therefore not suitable candidates for the DPO position (also supported by the BayLDA: read more).

In principle, a member of the company’s internal legal counsel team would be a suitable candidate for the DPO, especially if such legal counsel has data privacy experience. Moreover, the skills of a lawyer can be helpful when dealing with the Data Protection Authorities, which will be a core aspect of the DPO’s responsibilities. A company contemplating appointing a member of the legal department as DPO must ensure that this internal legal counsel is excluded from representing the company in any legal proceedings which may cause a potential conflict of interest. The position of the BayLDA goes beyond the position of the Art. 29 Working Party which states that an external DPO has a conflict of interest if this DPO represents the company in legal actions relating to data privacy issues before the courts.

When considering potential internal candidates for the position of the DPO, amongst other things, companies will therefore need to pay attention to potential conflicts of interest.

Contacts for further information:
Julia Kaufmann LL.M., Partner, Baker McKenzie Munich
Prof. Dr. Michael Schmidl LL.M., Partner, Baker McKenzie Munich
Dr. Holger Lutz LL.M., Partner, Baker McKenzie Frankfurt

 

Author

Julia Kaufmann is a partner in Baker McKenzie's Munich office. She has been admitted in Germany since 2006 and in New York, USA, since 2009. In addition to her studies in Germany, Mrs. Kaufmann obtained her Master of Laws degree at the University of Texas at Austin, USA. Mrs. Kaufmann worked in the Firm’s Dallas office from 2011-2012 and handled matters primarily for US clients.

Author

Jan-Philipp Guenther is an associate in Baker & McKenzie’s Munich office and a member of the Information Technology Practice Group. Before joining the Firm in 2015, he was a research associate at the Department of Criminal Law, Criminal Justice, Legal Theory, Information and Computer Science Law at the University of Wuerzburg, and a legal trainee for an international law firm. Mr. Guenther clerked at the Regional Court of Wuerzburg and worked for an international law office in Tokyo, assisting in corporate law and litigation.