Data Protection Officer: The 3 Most Expensive Mistakes Managing Directors Must Avoid

Mistake 1: Failing to appoint a DPO despite the obligation

According to Art. 37 GDPR , most companies in Germany are obliged to appoint a Data Protection Officer. This applies, for example, to companies where at least 20 employees are continuously involved in processing personal data.  

What consequences do companies face that fail to appoint a Data Protection Officer despite the obligation?

If decision-makers fail to appoint a DPO despite their legal obligation, this constitutes a violation of the GDPR and could, according to Art. 83(4) GDPR be subject to fines of up to 10 million Euros or 2% of the worldwide annual turnover from the previous financial year.

Are you fulfilling your DPO obligation?

Is your company required to appoint a Data Protection Officer (DPO)? We would be happy to advise you on this.

Get DSGVO Consultation

Error 2: Appointing a DPO with a conflict of interest

A DPO must be free from conflicts of interest to perform their DPO duties conscientiously. Neutrality is paramount. It prevents the DPO from determining the purposes and means of processing personal data for their company in another role, as this would mean they are supervising themselves.  

A neutral perspective on all data protection matters of the company requires that the individual in question has no influence whatsoever on the purposes for which personal data is processed within the company. Furthermore, the means used for this purpose must not fall within the DPO's scope of duties and responsibilities .

What are conflicts of interest for DPOs?

There are three types of conflicts of interestthat prevent a DPO from performing their duties. A conflict of interest exists when

• interests unrelated to data protection influence the advice given to the company.

• the diligent and comprehensive control and monitoring of data protection is jeopardized by personal interests.

• neutrality in cooperation with supervisory authorities is not guaranteed. This is because the proper representation of data protection matters can only be ensured by a neutral DPO.

Conflicts of Interest in Practice: SMEs Often Affected

Individuals in senior and middle management are generally not suitable for the role of a data protection officer: employees in management positions make significant decisions themselves regarding the processing of personal data in their company.  

This challenges especially smaller companies where often no employees are available below management level who possess the professional qualifications and expertise to perform the role.  

Conflicts of interest for data protection officers also frequently occur with works council members . Here, various areas of responsibility also clash in handling personal data.

What can happen in the event of a conflict of interest?

A conflict of interest can be costly for companies. This is illustrated by the case of a Berlin-based retail group: Its subsidiary appointed a data protection officer who was also the managing director of two of the company's service companies. These are also part of the group and processed extensively personal data. The DPO was therefore supposed to monitor companies whose management he himself was involved in.  

The Berlin Commissioner for Data Protection and Freedom of Information saw this as a clear case of a conflict of interest and thus a violation of the GDPR. The supervisory authority initially issued a warning against the company in 2021. However, after the violation was not rectified, it imposed a fine of 525,000 Euros.

How can conflicts of interest be avoided?

Generally, conflicts of interest can be avoided through a separation of operational and supervisory activities . Additionally, the appointment of an external data protection officer can counteract the risk of a conflict of interest.

External DPO: The conflict-free alternative

An external data protection expert takes care of GDPR compliance in your company without any conflicts of interest and has a thorough knowledge of the current legal situation.

Find an External Data Protection Officer

Mistake 3: Underestimating liability risks

The GDPR defines clear responsibilities and regulates which parties are liable for data protection breaches. There are differences between the liability of external and internal data protection officers.

Data Protection Liability: Who is liable for GDPR breaches?

In the event of GDPR breaches, various parties can be held liable:

• Controller: According to Art. 4 No. 7 GDPR, the main responsibility lies with the company or authority that determines the purposes and means of data processing. Breaches can result in fines and claims for damages.

• Processor: External service providers who process personal data on behalf of others must be contractually bound. In the event of breaches, they are independently liable.

• Managing Directors and Executive Bodies: Managing directors can be personally liable for violating their corporate duties, for example, by failing to appoint a DPO. The legal basis is corporate law (§ 43 GmbHG, § 93 AktG). In cases of intent or gross negligence, damages and recourse are possible.

When and how is a Data Protection Officer liable?

The company bears data protection responsibility and is liable to data subjects under Art. 82 GDPR. The DPO is liable under § 280 BGB internally to the company if they violate their duties or provide incorrect advice.  

Data protection officers can, depending on the breach and context, in different ways be held liable . The most important grounds for liability and criminal offenses for data protection officers are:

Civil Liability

In the event of GDPR breaches, the controller or processor can be held liable for damages incurred imposed. If the data protection officer demonstrably acted intentionally or with gross negligence, a personal civil liability may also arise.  

To limit their liability, an indemnity agreement is regularly concluded in practice. However, this does not affect the company's liability risk in the event of a breach of data protection obligations.

Employment Law Liability for Internal DPOs

As employees, internal data protection officers are subject to the intra-company liability privilege: According to § 619a BGB, they are only liable to the employer if they are responsible for the breach of duty. According to the jurisprudence of the Federal Labor Court (BAG), liability only arises in cases of gross negligence or intent.  

The following principles of liability for damagesapply, which employers may not alter to the detriment of their employees:

• Slight negligence: Internal Data Protection Officer receives indemnity

• Ordinary or moderate negligence: Usually, damages are shared

• Gross negligence: DPO is liable as agreed

Jurisprudence emphasizes that internal data protection officers must not be unduly burdened. After all, this is a legally mandated function, not a voluntary risk position.

Criminal Liability

Although data protection violations are primarily subject to civil law or administrative fines, criminal consequences are possible, for example, in cases of intentional disclosure of business or trade secrets (§ 203 StGB, § 17 UWG). Here too, the DPO can be held liable if they unlawfully disclose confidential information.

Fines from Supervisory Authorities

The GDPR does not directly impose fines on data protection officers, but rather on controllers and processors. However, errors by the DPO can lead to the company facing significant fines – which, especially for external DPOs, can indirectly lead to claims for damages against the DPO.

How do companies reduce their DPO liability risks?

It is important that the appointed DPO performs their duties and responsibilities properly and reliably to reduce the risk of claims for damages from affected individuals. Regarding liability, companies are well advised to appoint an external DPO.

Conclusion: Avoid errors and protect against liability  

The failure to appoint a data protection officer, conflicts of interest, and underestimated liability risks are among costly mistakes related to data protection officers.Especially in SMEs, conflicts of interest often arise when executives are expected to act as DPOs simultaneously. An external data protection expert not only offers neutrality and expertise, but also minimizes liability risks for the company.  

Companies should strategically plan the selection of and collaboration with their DPO to avoid legal and financial consequences. Professional external Data Protection Officers ensure GDPR compliance without conflicts of interest – and protect managing directors from personal liability.