DPO Case Law
DPO Case Law
- A non-profit association, which belonged to a confederation of entities providing social services, was not obliged to appoint a DPO pursuant to Article 37 GDPR (Délibération n°43FR/2021).
- The offering of a loyalty programme by a company to its customers didn’t constitute a regular and systematic monitoring pursuant to Article 37 GDPR, and therefore did not require a DPO appointment (Délibération n° 42FR/2021).
- Administrative fine of 75 000€ against the Ministry of Economic Development for failing to appoint a DPO by May 25, 2018, and for publishing personal data of more than five thousand managers on its website (Ordinanza di ingiunzione nei confronti di Ministero dello Sviluppo Economico – 11 febbraio 2021 ).
- Administrative find of 2 600 000€ against Foodinho for using discriminatory algorithms to manage its food delivery riders (Ordinanza ingiunzione nei confronti di Foodinho s.r.l. – 10 giugno 2021 ).
- Among other violations, Foodinho had failed to appoint a DPO.
- Administrative fine of 200 000€ against a Processor for installing video surveillance systems without prior authorisation of the controller (Municipality of Taranto) and for posting videos on Facebook with identifiable persons without a legal basis (Ordinanza ingiunzione nei confronti di società Amiu s.p.a. – 28 aprile 2022 ).
- The Garante also found that the processor had not appointed a DPO pursuant to Article 37 GDPR.
- Warning against the municipality of Ayuntamiento de Molina de Segura for not having appointed a DPO (PS/00314/2021).
- The AEPD clarified that public sector bodies and agencies are obliged (as per article 37 GDPR) to appoint a suitably qualified DPO, to provide him with the necessary means, and to notify the AEPD of the designation for their inclusion in the Public Register of DPOs.
- Warning against the Spanish municipality Ayuntamiento de Arroyomolinos for not having appointed a DPO (PS/00257/2020).
- The AEPD recalled that the public administrations are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a DPO (Article 37 GDPR).
- Warning against the Asturian Handball Federation for not having appointed a DPO (PS/00285/2020).
- Warning to the city Council of Burgos for not having appointed a DPO. DPO to be appointed within 2 months (PS/00329/2020).
- Administrative fine against Glovo 25 000€ for not having appointed a DPO (PS/00417/2019).
- The defendant stated that it created an internal data protection board with exactly the same role and functions as a DPO and that such board effectively develops the activity of a DPO. For the AEPD, Glovo has infringed its obligation to appoint a DPO and to register such appointment to the Spanish data protection authority.
- Formal notice to 22 municipalities to appoint a DPO (Délibération MEDP-2022-001 du 5 mai 2022)
The municipalities have 4 months to comply by appointing a DPO in accordance with the GDPR (independence, sufficient means, etc.). If the municipalities do not comply with the formal notice, the CNIL body responsible for imposing sanctions – could decide to impose a fine and make it public.
- Administrative fine of 10 000€ against Rapidata GmbH for not having appointed a DPO (Press Release).
- Administrative fine of 250 000€ against the IAB Europe for numerous violations of the GDPR including its obligation to designate a DPO (21/2022).
- For the APD, as the TCF constitutes a regular and systematic observation of identifiable users, IAB Europe should have appointed a DPO in accordance with Articles 37 to 39 of the GDPR.
- As the data processed by the 401 Athens General Military Hospital was not classified information related to activities concerning national security, the HDPA found itself competent (20/2020).
- For the HDPA, the processing was lawful but required the Hospital to appoint a DPO.
Conflict of Interest
- The CEO or member of the management of a company shall not be a DPO (IP – 07121-1/2021/577).
- The DPO shall not perform tasks determining the purposes or means of the processing of personal data.
- Administrative fine of 50 000€ against Proximus for appointing its head of compliance, risk management and internal audit as its DPO (42/2020).
- A company was in breach of its obligation to communicate the contact details of its DPO under Article 37 GDPR, and of its obligation to ensure that its DPO does not have any conflict of interests under Article 38 GDPR (Délibération n°37FR/202).
- The DPO appointed by the controller was also Head of Compliance, Money Laundering Reporting Officer that could result in a conflict of interests, in breach of Article 38 GDPR.
- Administrative fine of 525.000€ against a subsidiary of a Berlin-based e-commerce group (Press Release)
- The DPO of the subsidiary was CEO of two other group companies at the same time which acted as data processors for the subsidiary according to Art. 28 GDPR. The SA argued that the DPO was monitoring compliance with data protection law by the group companies which were managed by himself as the Managing Director. This had to be considered a conflict of interest.
Notification to the SA
- Administrative fine of 2 500 000€ against Deliveroo Italy for providing insufficient information about the algorithms used to manage work shifts in its app for riders (Ordinanza ingiunzione nei confronti di Deliveroo Italy s.r.l. – 22 luglio 2021 ).
- Among other violations, Deliveroo had failed to communicate its DPO contact details to the Garante.
- The Hamburg Commissioner for Data Protection and Freedom of Information imposed a fine of 51 000€ on Facebook Germany GmbH in December 2019 (Activity Report of 2019).
- Through a complaint, the Hamburg Commissioner for Data Protection and Freedom of Information became aware that Facebook Germany GmbH had not notified a DPO for their German office.
Information of data subjects
- Administrative fine of 1500€ against a social housing company for breaching several obligations of the GDPR (73/2020).
- The APD found that the choice for the DPO wasn’t sufficiently motivated and that the DPO information wasn’t communicated to the data subject as a single point of contact. Lastly, the DPO was not properly involved in all data protection manners, which means the controller breached Article 38 GDPR.
ECJ, judgment of June 22, 2022 (Case C-534/20):
- In response to the questions referred to by the German Bundesarbeitsgericht (Federal Labour Court) concerning the dismissal of a DPO, the ECJ stated “The second sentence of Article 38(3) sentence 2 GDPR does not preclude national legislation aimed at protecting workers from unfair dismissal even if the contractual termination is not related to the performance of that officer’s tasks […]“.
- Decision and report (N°36/ October 2021) by the Commission following an investigation into an organisation’s obligation to appoint a DPO has been carried out, and that the DPO contact information has been published and communicated with the DPA. That the organisation has implemented the necessary measures to ensure that the DPO is involved in all data protection issues and that the DPO has the autonomy to carry out the role without constraints (Délibération N°36 FR/2021).
Regional Labour Court Hamm, judgement of October 6, 2022 (18 Sa 271/22)
- No special protection udner labour law against dismissal for internal data protection officers if the company is not obliged to appoint them. It is irrelevant whether the other two companies of the group of companies, for which the plaintiff was also appointed as data protection officer, were obliged to appoint a data protection officer. This is because the special protection against dismissal of the data protection officer pursuant to Sect 6 (4) sentence 2 KSchG relates to the respective employment relationship; the special protection against dismissal exists exclusively for internal data protection officers.
Regional Labour Court Mecklenburg-Vorpommern, judgement of February 25, 2020 (Case 5 Sa 108/19):
- […]”The law does not link the activity of the data protection officer to any specific training or more detailed expertise. The level of expertise required depends in particular on the size of the organisational unit to be supervised, the scope of the data processing operations, the IT processes used, the type of data involved, etc. As a rule, knowledge of data protection law, data processing technology and operational procedures is required . If the data protection officer only has his or her own qualifications in a subarea, it is sufficient if he or she can rely on expert employees for the rest. Furthermore, further training on new technical developments and amendments to the law or developments in case law are essential.[…]
- Decision and report (N°30/ August 2021) by the Commission following an investigation into a public sector organisation on resources available to the DPO, communication of the DPO’s contact details to the DPA, and adequate control granted to the DPO in relation to the compliance of processing operations (Délibération N°30 FR/2021).
- Decision and report (N°38°/ October 2021) by the Commission following an investigation into a public sector organisation on the publication of the DPO’s contact details, it’s obligation to appoint the DPO on the basis of their professional qualifications. That the DPO has been sufficiently implicated in all data protection issues, and received the necessary resources to fulfill their mission. That the organisation has abided by the obligation that other missions and tasks of the DPO have not lead to conflicts of interest, particularly with regard to the supervisory nature of the DPO (Délibération N°38 FR/2021).
- Decision and report (N°40/ October 2021) by the Commission following an investigation into an organisation’s involvement of the DPO in all matters relating to data protection, the obligation to guarantee the DPO’s autonomy, the DPO’s tasks in providing advice, and the DPO’s supervisory tasks (Délibération N°40 FR/2021).
- Decision and report (N°41/ October 2021) by the Commission following an investigation into the publication of the DPO’s contact details, ensuring the DPO’s involvement in all questions relating to data protection, the organisation’s obligation to guarantee the DPO’s autonomy, as well as DPO’s ability to carry out their supervisory role in respect to data processing operations (Délibération N°41 FR/2021).
Last modified December 15th, 2022