Fachbücher zu Daten­schutz und IT-Sicher­heit finden Sie hier.
  1. Home
  2. News
  3. Dangerous dual roles: Why the wrong data protection officer can cost your company dearly
  • Data Protection

Dangerous dual roles: Why the wrong data protection officer can cost your company dearly

Avoiding conflicts of interest with data protection officers: Mistakes and consequences

Why the independence of data protection officers is so important

In an increasingly digitalised working world, data protection is becoming more and more important. Companies are legally obliged to appoint a data protection officer (DPO) under certain conditions – a responsible position that requires much more than just formal knowledge. It is crucial that the appointed person can act independently and that there are no conflicts of interest. After all, the data protection officer checks internal compliance with legal data protection requirements and is thus responsible for protecting the company and the data subjects.

The law stipulates that the DPO must be free of conflicts of interest. Time and again, companies opt for solutions that seem obvious at first glance, such as appointing a manager, for example the managing director, as data protection officer. This seems practical, especially in smaller companies, but the risks of this ‘dual role’ should not be underestimated: anyone who is both managing director and data protection officer must monitor their own actions – a classic case of conflict of interest that can have serious consequences.

Real consequences: how quickly it can become expensive

A recent incident in Austria shows how controversial this issue is: The data protection supervisory authority imposed a fine of €5,500 on a company because a managing director, who was also a shareholder, was acting as data protection officer. Supervisory authorities elsewhere are also warning against entrusting persons in management positions with this task, as this constitutes a clear conflict of interest – regardless of whether there is actually a violation of data protection rules.

At the latest when complaints are received or order processing is reviewed, the lack of separation of roles may become apparent. Planned projects can then quickly come to a standstill or, even worse, orders can be lost because clients become aware of data protection deficiencies. It is not without reason that data protection supervisory authorities emphasise that the person or persons responsible must take active precautions against conflicts of interest before problems arise.

How companies can identify and avoid conflicts of interest with the DPO

Measures for the secure appointment of the data protection officer

It is not sufficient to appoint a data protection officer according to the motto ‘the main thing is that someone is on paper’. Companies should carefully check the suitability of the person in question. Particular attention should be paid to the fact that management personnel who make operational decisions in the company should not be entrusted with the control function. The European Data Protection Board (EDPB) emphasises in its guidelines that the independence of the DPO is paramount.

Companies that cannot find suitable internal personnel should consider appointing an external data protection officer. External professionals often not only have the necessary expertise, but also the necessary neutrality to perform their tasks conscientiously and independently. There are special guidelines and recommendations for small and medium-sized enterprises to help them find suitable solutions and comply with legal requirements.

Practical tips for risk reduction and legally compliant organisation

Companies are advised to draw up internal guidelines to avoid conflicts of interest. Regularly check whether the current DPO is still compliant with legal requirements, especially in the event of restructuring or personnel changes. Clear documentation of decision-making processes and the distribution of tasks is essential in order to be able to prove in an emergency that you have fulfilled your obligation to avoid conflicts of interest.

A proactive approach to the issue saves unpleasant disputes with supervisory authorities and protects not only against fines but also against damage to your reputation. Regardless of the solution you choose, it is advisable to closely monitor developments in data protection requirements and, if in doubt, seek expert advice in good time.

Conclusion: Take data protection seriously, prevent risks and avoid fines

Appointing a data protection officer is not a mere formality. If you want to be on the safe side when filling this position, you must ensure that the person is completely independent and that there are no conflicts of interest. Managers and decision-making and supervisory bodies cannot combine these roles due to legal requirements. The consequences of mistakes range from lost orders to substantial fines. Raise awareness of this issue within your company, clarify responsibilities and rely on competent, independent contacts.

Are you unsure whether your organisation is on the safe side when it comes to data protection, or do you need support in selecting and appointing a data protection officer? Don't hesitate to contact us – we will be happy to advise you and help you make your data protection management legally compliant. Contact us for a no-obligation consultation!

Zurück
© 2011–2025 GINDAT GmbH

Hinweis zu Cookies

Unsere Website verwendet Cookies. Einige davon sind technisch notwendig für die Funktionalität unserer Website und daher nicht zustimmungspflichtig. Darüber hinaus setzen wir Cookies, mit denen wir Statistiken über die Nutzung unserer Website führen. Hierzu werden anonymisierte Daten von Besuchern gesammelt und ausgewertet. Eine Weitergabe von Daten an Dritte findet ausdrücklich nicht statt.

Ihr Einverständnis in die Verwendung der Cookies können Sie jederzeit widerrufen. In unserer Datenschutzerklärung finden Sie weitere Informationen zu Cookies und Datenverarbeitung auf dieser Website. Beachten Sie auch unser Impressum.

Technisch notwendig

Diese Cookies sind für die einwandfreie Funktion der Website erforderlich und können daher nicht abgewählt werden. Sie zählen nicht zu den zustimmungspflichtigen Cookies nach der DSGVO.

Name Zweck Ablauf Typ Anbieter
CookieConsent Speichert Ihre Einwilligung zur Verwendung von Cookies. 1 Jahr HTML Website
fe_typo_user Dieser Cookie wird gesetzt, wenn Sie sich im Bereich myGINDAT anmelden. Session HTTP Website
PHPSESSID Kurzzeitiger Cookie, der von PHP zum zwischenzeitlichen Speichern von Daten benötigt wird. Session HTTP Website
__cfduid Wir verwenden eine "Content Security Policy", um die Sicherheit unserer Website zu verbessern. Bei potenziellen Verstößen gegen diese Policy wird ein anonymer Bericht an den Webservice report-uri.com gesendet. Dieser Webservice lässt über seinen Anbieter Cloudflare diesen Cookie setzen, um vertrauenswürdigen Web-Traffic zu identifizieren. Der Cookie wird nur kurzzeitig im Falle einer Bericht-Übermittlung auf der aktuellen Webseite gesetzt. 30 Tage/ Session HTTP Cloudflare/ report-uri.com
Statistiken

Mit Hilfe dieser Statistik-Cookies prüfen wir, wie Besucher mit unserer Website interagieren. Die Informationen werden anonymisiert gesammelt.

Name Zweck Ablauf Typ Anbieter
_pk_id Wird verwendet, um ein paar Details über den Benutzer wie die eindeutige Besucher-ID zu speichern. 13 Monate HTML Matomo
_pk_ref Wird verwendet, um die Informationen der Herkunftswebsite des Benutzers zu speichern. 6 Monate HTML Matomo
_pk_ses Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
_pk_cvar Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
MATOMO_SESSID Kurzzeitiger Cookie, der bei Verwendung des Matomo Opt-Out gesetzt wird. Session HTTP Matomo
_pk_testcookie Kurzzeitiger Cookie der prüft, ob der Browser Cookies akzeptiert. Session HTML Matomo