Finally get that promotion? Get exclusive content, tips and tools to help you excel.
Shawn Premer shows how doing the right thing for employees leads to positive business results.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Under the European General Data Protection Regulation (GDPR), which will start to apply May 25, 2018, many companies will be required to appoint a Data Protection Officer (DPO). Violating the requirements relating to the appointment of a DPO can be sanctioned with fines of up to 10 million euros ($12.14 million) or up to 2 percent of the total worldwide annual turnover, whichever is higher. So, who do you appoint as your DPO?
Companies may choose to appoint an employee of the company as an internal DPO or a professional data privacy advisor as an external DPO. The appointed DPO must have the necessary knowledge and expertise in data protection law and must be reliable as well as independent. When is a DPO reliable and independent? This is not always a straightforward question in practice and it makes sense to look at how this requirement is interpreted to date in Germany, where companies have long been required to appoint a DPO.
According to the current interpretation of the existing German data protection law, the DPO must not have any duties which conflict with the monitoring obligations of the DPO. The Bavarian Data Protection Authority (BayLDA) takes the position in its recent activity report that members of the legal department may in certain cases have a conflict of interest that disqualifies those individuals from acting as DPO. In particular, if the legal counsel may represent the company in a legal proceeding (especially with regard to legal actions against employees or customers, which may include data privacy related aspects), the legal counsel is subject to a conflict of interest and, therefore, not independent. This may reduce the potential internal candidates for the role of the DPO significantly: The Article 29 Data Protection Working Party, an advisory body, stated recently that individuals with a senior management position, such as chief operating, chief financial, chief medical officer, head of marketing department, head of human resources or head of IT departments can have a conflict of interest and are therefore not suitable candidates for the DPO position (also supported by the BayLDA: as we reported here).
In principle, a member of the company's internal legal counsel team would be a suitable candidate for the DPO, especially if such legal counsel has data privacy experience. Moreover, the skills of a lawyer can be helpful when dealing with the Data Protection Authorities, which will be a core aspect of the DPO's responsibilities. A company contemplating appointing a member of the legal department as DPO must ensure that this internal legal counsel is excluded from representing the company in any legal proceedings that may cause a potential conflict of interest. The position of the BayLDA goes beyond the position of the Article 29 Working Party, which states that an external DPO has a conflict of interest if this DPO represents the company in legal actions relating to data privacy issues before the courts.
When considering potential internal candidates for the position of the DPO, among other things, companies will therefore need to pay attention to potential conflicts of interest.
This article is part 2 of a series on Data Protection Officers (DPO) and avoiding conflicts of interest. For the first part please click here.
Michael Schmidl and Julia Kaufmann are attorneys with Baker McKenzie in Munich. Holger Lutz is an attorney with Baker McKenzie in Frankfurt, Germany. © 2018 Baker McKenzie. All rights reserved. Reposted with permission of Lexology.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
SHRM Annual Conference & Exposition
SHRM’s HR Vendor Directory contains over 3,200 companies