Germany: Can Employers Appoint In-House Counsel as Data Protection Officers?

By Michael Schmidl, Julia Kaufmann and Holger Lutz © Baker McKenzie January 12, 2018

Under the European General Data Protection Regulation (GDPR), which will start to apply May 25, 2018, many companies will be required to appoint a Data Protection Officer (DPO). Violating the requirements relating to the appointment of a DPO can be sanctioned with fines of up to 10 million euros ($12.14 million) or up to 2 percent of the total worldwide annual turnover, whichever is higher. So, who do you appoint as your DPO?

Companies may choose to appoint an employee of the company as an internal DPO or a professional data privacy advisor as an external DPO. The appointed DPO must have the necessary knowledge and expertise in data protection law and must be reliable as well as independent. When is a DPO reliable and independent? This is not always a straightforward question in practice and it makes sense to look at how this requirement is interpreted to date in Germany, where companies have long been required to appoint a DPO.

According to the current interpretation of the existing German data protection law, the DPO must not have any duties which conflict with the monitoring obligations of the DPO. The Bavarian Data Protection Authority (BayLDA) takes the position in its recent activity report that members of the legal department may in certain cases have a conflict of interest that disqualifies those individuals from acting as DPO. In particular, if the legal counsel may represent the company in a legal proceeding (especially with regard to legal actions against employees or customers, which may include data privacy related aspects), the legal counsel is subject to a conflict of interest and, therefore, not independent. This may reduce the potential internal candidates for the role of the DPO significantly: The Article 29 Data Protection Working Party, an advisory body, stated recently that individuals with a senior management position, such as chief operating, chief financial, chief medical officer, head of marketing department, head of human resources or head of IT departments can have a conflict of interest and are therefore not suitable candidates for the DPO position (also supported by the BayLDA: as we reported here).

In principle, a member of the company's internal legal counsel team would be a suitable candidate for the DPO, especially if such legal counsel has data privacy experience. Moreover, the skills of a lawyer can be helpful when dealing with the Data Protection Authorities, which will be a core aspect of the DPO's responsibilities. A company contemplating appointing a member of the legal department as DPO must ensure that this internal legal counsel is excluded from representing the company in any legal proceedings that may cause a potential conflict of interest. The position of the BayLDA goes beyond the position of the Article 29 Working Party, which states that an external DPO has a conflict of interest if this DPO represents the company in legal actions relating to data privacy issues before the courts.

When considering potential internal candidates for the position of the DPO, among other things, companies will therefore need to pay attention to potential conflicts of interest.

This article is part 2 of a series on Data Protection Officers (DPO) and avoiding conflicts of interest. For the first part please click here.

Michael Schmidl and Julia Kaufmann are attorneys with Baker McKenzie in Munich. Holger Lutz is an attorney with Baker McKenzie in Frankfurt, Germany. © 2018 Baker McKenzie. All rights reserved. Reposted with permission of Lexology.


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect