The strong legal position of the DPO, which is provided by the GDPR, does not prevent the DPO1 in practice of the risk of either being sued or being fired by the controller.
Role of DPO according to GDPR
The key tasks of the DPO are to advice and inform the controller and equally monitor the compliance of the controller with the GDPR.2 The controller and not the DPO is held accountable for the compliance with GDPR according to a statement of the EDPB.3
Art. 38 (3) GDPR grants an indendent position to the role of the DPO:
“The controller … shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks.“
The unique position of the DPO further requires a direct reporting line to the highest management level of the controller. In addition, the DPO may not be dismissed for performing his tasks.4
Since the legal position of the DPO is very strong, the practice of the DPOs shows a different picture. In Germany the DPO had a similar legal position before GDPR became applicable. However, the power of the DPO was de facto much weaker than his legal position.
Limits of DPOs independence
In praxis the DPO has two faces like Janus in the ancient Roman mythology. On one hand, the DPO is part of the system which is responsible for the oversight of the controller. In this regard the DPO cooperates with the data protection authorities. On the other hand, the DPO is employee of the controller and is part of the organisation of the controller. In this respect the controller may put the DPO under pressure to provide statements in favour of the controller which go beyond a sound legal interpretation of GDPR. In addition the controller may try to prevent findings qualified as high risk in audits of the DPO.
The consequence of the Janus-like position is that a DPO may never change the data protection culture of an organisation in confrontation with the management of the controller. Without the acceptance of the management the implementation of GDPR will fail. This equally applies for the middle and the highest management of the controller.
But the implementing of GDPR requires an organisational and cultural change of the controller. That derives from the stricter requirements of GDPR and equally from the documentation duties of the accountability principle. Since the controller is required to show evidence for the compliance with GDPR the risk culture of a controller needs to transparently name and adequatly jugde the riks for data subjects.
DPO at risk
This challenge puts both DPO and controller at risk. The DPO who is – in the eyes of the controller – to restrictive will be put under high pressure by the controller. When this situation will escalate the DPO will eventually be fired. Regardless of the fact that GDPR does provide a protection of dismissal to the DPO the controller will find a way to terminate the employee contract with the DPO. The DPO may be isolated and providet with all measures available for HR termination management.
On the other hand, the controller is equally at risk. Insofar the controller is not willing to accept the cultural and organisational change recommended by the DPO to implement GDPR, the controller faces the risk of fines, damages and bad press.
How to empower the DPO
One of the key findings for a controller, which is willing to implement GDPR in a sound way, is to provide the DPO with a prominent position in the hierachy of its organisation.
The DPO shall not only have a direct reporting line to the highest management. In addition the DPO shall be directly submitted to the highest management board („Stabsstelle“). That derives from a statement of the German Federal Data Protection Authority (Bundesdatenschutzbeauftragter).5 With this position the DPO shall be provided with the same hierachy level as for example the head of legal department or the head of the compliance department.
This position will empower the DPO to provide valid legal statements and effectiv audits to prevent the controller from fines, damages and bad press.
This organisational change is not only a claim in legal theory but equally a measure of legal praxis. After the data protection scandals of Deutsche Telekom6 and Deutsche Bahn7 both state-owned companies changed their corporate structure and took data protection into a prominent position within their organisation.8
DPO as messenger of bad news
The GDPR safeguards the Right to Protection of Personal Data.9 But the protection of personal data of the customers stays in conflict to the maximisation of profit of private business. This conflict is the burden of any DPO.
Insofar the DPO is to strict – in the perspective of the controller – the controller may react like emporers in the ancient Greek and kill the messenger of bad news. The strong legal position will raise the cost of a golden handshake but will not save the DPO from the termination of his employment contract.
Insofar the DPO gives to much leaway to the pressure of the controller he may face the risk of personal liabiltiy e.g. for a statement which is in contradiction with the interpretation of the Data Protection Authorities.
Latest if the controller is fined by the data protection authority on basis of the DPOs opinion the company may claim against the DPO for damages. This mechanism was executed by VW in Dieselgate. First VW motivated or pushed the team of employees to manupulate the software. After the discovery of the Dieselgate, VW fired the same employees and is now claiming for damanges.10
Therefore, the best advice for a DPO is to find a controller which takes data protection serious and is willing to implement the measures required by GDPR.
1data protection officer
2According to Art. 39 (1) (a) and (b) GDPR
3EDPB, Guidelines on Data Protection Officers (‘DPOs’), wp243rev.01_en, 5 April 2017, page 4
4According to Art. 38 (3) GDPR
8e.g. Bundesbeauftragter für den Datenschutz, Tätigkeitsbericht für die Jahre 2009 und 2010, S. 135; ‘Deutsche Bahn implemented a unique position of its management bord for compliance, data protection and law’
9According to Art. 1 (2) GDPR