DPO Watchdog

DPO Case Law

DPO Watchdog

DPO Case Law

Designation

NPD, Luxembourg:

  • A non-profit association, which belonged to a confederation of entities providing social services, was not obliged to appoint a DPO pursuant to Article 37 GDPR (Délibération n°43FR/2021).
  • The offering of a loyalty programme by a company to its customers didn’t constitute a regular and systematic monitoring pursuant to Article 37 GDPR, and therefore did not require a DPO appointment (Délibération n° 42FR/2021).

 

Garante, Italy:

AEPD, Spain:

  • Warning against the municipality of Ayuntamiento de Molina de Segura for not having appointed a DPO (PS/00314/2021).
    • The AEPD clarified that public sector bodies and agencies are obliged (as per article 37 GDPR) to appoint a suitably qualified DPO, to provide him with the necessary means, and to notify the AEPD of the designation for their inclusion in the Public Register of DPOs.
  • Warning against the Spanish municipality Ayuntamiento de Arroyomolinos for not having appointed a DPO (PS/00257/2020).
    • The AEPD recalled that the public administrations are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a DPO (Article 37 GDPR).
  •  Warning against the Asturian Handball Federation for not having appointed a DPO (PS/00285/2020).
  • Warning to the city Council of Burgos for not having appointed a DPO. DPO to be appointed within 2 months (PS/00329/2020).
  •  Administrative fine against Glovo 25 000€ for not having appointed a DPO (PS/00417/2019).
    • The defendant stated that it created an internal data protection board with exactly the same role and functions as a DPO and that such board effectively develops the activity of a DPO. For the AEPD, Glovo has infringed its obligation to appoint a DPO and to register such appointment to the Spanish data protection authority.

 CNIL, France:

  • Formal notice to 22 municipalities to appoint a DPO (Délibération MEDP-2022-001 du 5 mai 2022)
    The municipalities have 4 months to comply by appointing a DPO in accordance with the GDPR (independence, sufficient means, etc.). If the municipalities do not comply with the formal notice, the CNIL body responsible for imposing sanctions – could decide to impose a fine and make it public.

  BfDI, Germany:

  • Administrative fine of 10 000€ against Rapidata GmbH for not having appointed a DPO (Press Release).

 

APD, Belgium:

  • Administrative fine of  250 000€ against the IAB Europe for numerous violations of the GDPR including its obligation to designate a DPO (21/2022).
    • For the APD, as the TCF constitutes a regular and systematic observation of identifiable users, IAB Europe should have appointed a DPO in accordance with Articles 37 to 39 of the GDPR.

HDPA, Greece:

  • As the data processed by the 401 Athens General Military Hospital was not classified information related to activities concerning national security, the HDPA found itself competent (20/2020).
    •  For the HDPA, the processing was lawful but required the Hospital to appoint a DPO.

 

Conflict of Interest

IP, Slovenia:

  • The CEO or member of the management of a company shall not be a DPO (IP – 07121-1/2021/577).
    • The DPO shall not perform tasks determining the purposes or means of the processing of personal data.

APD, Belgium:

  • Administrative fine of 50 000€ against Proximus for appointing its head of compliance, risk management and internal audit as its DPO (42/2020).

CNPD, Luxembourg:

  • A company was in breach of its obligation to communicate the contact details of its DPO under Article 37 GDPR, and of its obligation to ensure that its DPO does not have any conflict of interests under Article 38 GDPR (Délibération n°37FR/202).
    • The DPO appointed by the controller was also Head of Compliance, Money Laundering Reporting Officer that could result in a conflict of interests, in breach of Article 38 GDPR.

BlnBfDI, Germany

  • Administrative fine of 525.000€ against a subsidiary of a Berlin-based e-commerce group (Press Release)
    • The DPO of the subsidiary was CEO of two other group companies at the same time which acted as data processors for the subsidiary according to Art. 28 GDPR. The SA argued that the DPO was monitoring compliance with data protection law by the group companies which were managed by himself as the Managing Director. This had to be considered a conflict of interest.

Notification to the SA

Garante, Italy:

HmbBfDI, Germany:

  • The Hamburg Commissioner for Data Protection and Freedom of Information imposed a fine of 51 000€ on Facebook Germany GmbH in December 2019 (Activity Report of 2019).
    • Through a complaint, the Hamburg Commissioner for Data Protection and Freedom of Information became aware that Facebook Germany GmbH had not notified a DPO for their German office.

Information of data subjects

APD, Belgium:

  • Administrative fine of 1500€  against a social housing company for breaching several obligations of the GDPR (73/2020).
    • The APD found that the choice for the DPO wasn’t sufficiently motivated and that the DPO information wasn’t communicated to the data subject as a single point of contact. Lastly, the DPO was not properly involved in all data protection manners, which means the controller breached Article 38 GDPR.

Position

ECJ,  judgment of June 22, 2022 (Case C-534/20):

  • In response to the questions referred to by the German Bundesarbeitsgericht (Federal Labour Court) concerning the dismissal of a DPO, the ECJ stated “The second sentence of Article 38(3) sentence 2 GDPR does not preclude national legislation aimed at protecting workers from unfair dismissal even if the contractual termination is not related to the performance of that officer’s tasks […] 

Expertise

Regional Labour Court Mecklenburg-Vorpommern, judgement of February 25, 2020 (Case 5 Sa 108/19):

  • […]”The law does not link the activity of the data protection officer to any specific training or more detailed expertise. The level of expertise required depends in particular on the size of the organisational unit to be supervised, the scope of the data processing operations, the IT processes used, the type of data involved, etc. As a rule, knowledge of data protection law, data processing technology and operational procedures is required . If the data protection officer only has his or her own qualifications in a subarea, it is sufficient if he or she can rely on expert employees for the rest. Furthermore, further training on new technical developments and amendments to the law or developments in case law are essential.[…]

Last modified September 20th, 2022