For the data protection professionals, the story opens an even broader discussion of what risks voice and image generation technology bring to the rights and freedoms of individuals.

AI-generated speech and images

In its recent opinion, the Latvian data protection regulator DVI presumed that, when using an image created with the help of AI from scratch (eg, by entering the keywords “children playing”), personal data is not processed as it does not refer to a specific real person. However, there are many cases where the image is created using a photograph or visual description of a specific person. And if such an image is later associated with an identifiable person, its generation and publication may be considered as processing of personal data. Although the use of synthetic images can raise doubts about the veracity of the content, AI-generated visual materials still allows for the provision of the necessary information to the audience while respecting people’s privacy, (eg, fundraising campaigns for children in distress), stipulates the regulator.

Similarly, voice generation technology is taking over our everyday lives. The Liechtenstein data protection commissioner, in its recent interview, reminds us that, for instance, cloned voices can be deceptively similar to genuine ones and can therefore easily be used to mislead third parties, for example, in fraudulent calls or fake audio recordings of politicians, celebrities or even colleagues. Anyone who makes their voice publicly available or works with language professionally is providing potentially valuable training material for AI systems. Thus, it is recommended to provide clear copyright notices and, if necessary, contractually agree to the use by third parties. A general or tacit consent to processing is not sufficient – rather, an explicit, informed consent is required. The data controller may be also obliged to conduct a data protection impact assessment (DPIA) if the data processing is expected to pose a high risk to the rights and freedoms of natural persons.

Stay up to date! Sign up to receive our fortnightly digest via email.

EU AI Code of Practice

The European Commission published the final version of the General-Purpose Artificial Intelligence Code of Practice. The document helps industry comply with the AI Act legal obligations on safety, transparency and copyright of general-purpose AI models. The code was published on July 10, 2025. In the following weeks, Member States and the Commission will assess its adequacy. Additionally, the code will be complemented by Commission guidelines on key concepts related to general-purpose AI models, to be published later in the month. More information on the code is available in this dedicated Q&A.

US child privacy updates

On 1 July in Connecticut, the Act concerning Social Media Platforms and Online Services, Products and Features enters into force. According to a digitalpolicyalert.org analysis, the act expands the Connecticut Data Privacy Act, defining “heightened risk of harm to minors” to include risks such as anxiety disorders, compulsive use, physical violence, harassment, sexual exploitation, unlawful distribution of restricted substances, and unlawful gambling. The act requires owners of social media platforms to incorporate an online safety methodology by 1 January 2026. Data controllers must use reasonable care to avoid such risks, conduct data protection assessments, and implement mitigation plans. Processing of minors’ personal data for targeted advertising, sales, or profiling is prohibited, and precise geolocation data collection requires safeguards. Impact assessments are mandated for profiling-based services, detailing purpose, risks, data categories, and transparency measures.

In parallel, Oregon will begin to regulate the use of minors’ information and sale of users’ location data (regardless of age) with an update to its Oregon Consumer Privacy Act. These revisions will go into effect January 1, 2026. As amended, those subject to the law will not be able to profile or serve targeted advertising to anyone under 16. And Maryland will impose a similar prohibition on the same date, but for information of those under 18, eyeonprivacy.com law blog reports.

Anonymisation

The Asia Pacific Privacy Authorities (APPA) have published an overview of basic anonymisation concepts and practical steps that can be put in place to enable organisations to kickstart their anonymisation journey. Proper anonymisation requires both good knowledge of the data context and competency with the technicalities of anonymisation. Where the data controller does not have the necessary level of skills, they should consider engaging an expert to perform the anonymisation.

It is also recommended to refer to the ISO standard titled ‘Information Security, Cybersecurity and Privacy Protection – Privacy Enhancing Data De-identification Framework’ (ISO/IEC 27559:2022). This standard recognises that anonymisation involves not only the data itself but also the context in which data is shared and used, as well as the governance practices in place.  

Audience consent exemption

The management of a website or mobile application generally requires the use of traffic or performance statistics, which are often essential for the provision of the service. Cookies placed for this purpose may be exempt from consent under certain conditions, states the French CNIL. In order to limit themselves to what is strictly necessary for the provision of the service and thus be exempt from consent, these trackers must:

• be used for a purpose strictly limited to the sole measurement of the audience of the site or application (performance measurement, detection of navigation problems, optimisation of technical performance or its ergonomics, estimation of the power of the servers required, analysis of the content consulted);
• be used to produce anonymous statistical data only.

Conversely, to be exempt from consent, these trackers must not:

• lead to data being cross-referenced with other processing operations or to non-anonymous data being transmitted to third parties;
• allow tracking of the individual’s browsing experience using different applications or browsing different websites. Any solution using the same identifier across multiple sites (for example, via cookies placed on a third-party domain loaded by multiple sites) to cross-reference, split, or measure a unified content reach rate is excluded.

AI system data quality

The Federal Office for Information Security in Germany presented a methodological guide called QUAIDAL (in German), aimed primarily at providers of high-risk AI systems, for which the AI Act defines detailed requirements regarding documentation, data management, and continuous quality assurance. The modular design of the guideline allows project managers and development teams to select appropriate measures to ensure data quality at an early stage and systematically demonstrate their implementation. Furthermore, this modular concept can be flexibly expanded in the future to accommodate new technological developments. 

More from supervisory authorities

Emotion recognition: The Dutch data protection regulator AP notes that organisations are increasingly using AI to recognise emotions in people: the voice can be used to analyse your emotional state during a customer service conversation; your smartwatch measures your stress; or a chatbot that recognises your emotions can therefore respond more empathetically.

However, emotion recognition is based on controversial assumptions about emotions and their measurability. It’s not always clear how AI systems recognize emotions, nor whether the results are reliable. People are also not always aware that emotion recognition is being used, nor are they always aware of the data used. Finally, in education and the workplace, the use of AI systems for emotion recognition is already prohibited under the EU AI Act. 

LLMs and data subject rights: A consultation on processing personal data in large language models in a way that complies with data protection laws has been launched by the German Federal Data Protection Commissioner, running until August 10. Limits on anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of GDPR data subject rights in AI systems are among the main topics. The results will aid in the creation of compliant methods for handling AI’s memorised personal data, summed up in a digitalpolicyalert.org legal blog. 

EU minors data:  The European Commission publishes guidelines on the protection of minors under the Digital Services Act. These guidelines aim to ensure a safe online experience for children and young people by fostering online platforms accessible to minors (excluding micro and small enterprises). It suggests measures such as setting minors’ accounts to private by default so their personal information, data, and social media content is hidden from those they aren’t connected with to reduce the risk of unsolicited contact by strangers, also – effective age assurance methods, prohibiting the downloading or screenshotting of minors’ content, introducing measures to improve moderation and reporting tools, and much more. 

Data-driven pricing

The Future of Privacy Forum reports that US state lawmakers (eg, a new New York bill) are seeking to regulate various pricing strategies that fall under the umbrella of “data-driven pricing” (often algotithm-based): practices that process user data to continuously inform decisions about the prices and products offered to consumers. They fall under one of the following categories:

• Reward or loyalty program: A company offers a discount, reward, or other incentive to repeat customers who sign up for the program. 
• Dynamic pricing: Rapidly changing the price of a particular product or service based on real-time analysis of market conditions and consumer behavior.
• Consumer segmentation or profiling: A profile is created for a customer based on their personal data, including behavior and/or characteristics, and they are placed within a particular audience segment. 
• Search or product ranking: Altering the order in which search results or products appear, to give more prominence to certain results, based on general consumer data or specific customer behavioral data. 

Age-verification in shops

The French CNIL also considers that the use of “augmented” cameras to estimate the age of customers of tobacco shops in order to control the sale of prohibited products to minors is neither necessary nor proportionate. Currently deployed devices are enabled by default and scan the faces of all people in their field of vision. They then indicate, by a green or red light, whether or not the estimated age of the people exceeds a predetermined age (18 years old, 21 years old or other). The law requires tobacconists to check that their customers are of legal age before selling tobacco or alcohol. However, these devices can only estimate the age of people, without certainty, and they carry a risk of error, like any artificial intelligence system. 

To fulfil their age control obligations, tobacconists must therefore resort to other solutions, such as verification of an identity document or any official document containing the person’s date of birth.

Prohibited AI practices facing privacy enforcement

The Spanish privacy regulator AEPD stated that it can now act against prohibited AI systems that process personal data, regardless of the entry into force of the AI Act.  A series of its sections will come into force as of August 2, 2025 even though the Spanish draft AI law has not yet been approved and the AEPD has not yet been formally assigned as a market surveillance authority. However, the agency’s status as the competent authority for personal data protection remains unchanged. Therefore, although this is not a direct application of the AI Act, the regulator may supervise and act against processing of personal data carried out using prohibited systems. 

In other news

Insurance agency data leak: The personal data protection agency in Croatia has imposed eight new administrative fines totaling 350,500 euros. In particular, following an anonymous report that personal data of more than a million vehicle owners had been “leaked” from the state register the regulator conducted supervisory procedures at several related entities – the Croatian Insurance Bureau, the Croatian Vehicle Center, the Ministry of the Interior of the Republic of Croatia, as well as other legal entities that were associated with the incident.

It was established that the leaked data submitted to the regulator on a USB stick – vehicle owner data, vehicle data, insurance data and data on reduction (bonuses/minimums) matched the database of the Croatian Insurance Bureau. As the data controller, they did not take appropriate organisational and technical measures to protect the personal data of the respondents. Additionally, they did not separately prescribe maximum retention periods for the personal data of the respondents contained in the register. 

Biometric identification fine: The Spanish AEPD fined sports centre operator SIDECU 160,000 euros for offences including illegal biometric data processing; the amount was eventually lowered to 96,000 euros, according to Data Guidance. Without offering any other options, SIDECU used a face recognition technology as the only way to enter its sports facilities, which violated GDPR Art. 9. In violation of Art. 13, they also did not properly notify members about data processing and did not conduct a data protection impact assessment as mandated by Art. 35. SIDECU was given ten working days to halt the processing.

Political party fine

The Romanian data protection regulator fined the Alliance for the Unity of Romanians Party, AUR, (a right-wing populist political party in Romania and Moldova) approx 25,000 euros following a data leak. One of the notified security breaches targeted the aur.mobi application used and managed by the party, whose vulnerability was exploited by a third party by accessing the application’s source code. Due to a configuration error, at the time of the incident, the following categories of personal data of its users, (supporters/members – individuals who provided personal data in the operator’s application), could be viewed within the application: 

• first and last name, 
• telephone number, e-mail address, residence address, personal id number, 
• date of birth, nationality, citizenship, gender, religion, 
• profession, occupation, field of activity, experience in other fields, studies (institution, specialisation, start and end dates), 
• political experience (party, position, start date, end date), 
• administrative experience (institution, position, start date, end date), 
• foreign languages spoken (language, level).

The investigation found that personal data were processed by the controller for the purpose of informing data subjects about an AUR campaign and for statistical purposes, and that the processed data are not adequate, relevant and limited to what is necessary in relation to the declared purposes.

DPO’s conflict of interest

In Estonia, a county court overturned the decision of the Data Protection Inspectorate, which imposed a fine of 85,000 euros on Asper Biogene for violating data protection requirements. The inspectorate accused Asper of two significant violations in the misdemeanor proceedings. Firstly, the company appointed a sole board member as a data protection specialist, who lacked both the necessary independence and competence to perform this role.  Secondly, Asper Biogene had not implemented sufficient security measures, which allowed unauthorized persons to access the company’s database during a cyber attack in 2023. A large volume of data was downloaded, including special categories. 

The county court agreed that that a member of the board, who manages the company’s activities and decides on the purposes and means of data processing, cannot at the same time independently perform the duties of a data protection specialist. However, the court found that the violation was committed through negligence and took into account the fact that the company had later appointed a competent specialist and implemented additional security measures. The court decided that the fault of the person subject to the proceedings is minor and there is no public interest in the proceedings. The regulator does not agree with these findings and is prepearing an appeal. 

In case you missed it 

Swimming pool surveillance: It’s the height of Summer, and concerns about theft, break-ins, and swimming accidents are increasing. Facilities are therefore increasingly turning to video surveillance and AI. However, not everything that is technically possible is compatible with data protection, explains North Rhine-Westphalia data protection regulator. 

In one example, burglaries in swimming pools regularly occur outside of business hours, so recording must therefore be limited to these times. To prevent unauthorized access during normal business hours, only the entrance area or access barrier may be recorded. Locker break-ins also frequently occur. In these cases, video surveillance may be permitted in a limited capacity. However, changing areas must never be included. Areas subject to video surveillance should be specially marked, for example, by color-coded flooring.

At the same time, operators are increasingly turning to artificial intelligence to prevent swimming accidents. However, their use should not replace existing supervisory measures, but can at best complement them, because AI systems still have a significant error rate.

Traveling with data privacy in mind: Online activity onboard trains requires a few simple precautions to travel with peace of mind, states the French CNIL. A password written on a piece of paper stuck to your computer, a screen visible to other passengers or an unlocked computer when you leave your seat are small seemingly innocuous mistakes that can expose your personal data, your private and professional life and compromise the security of your devices. The essential safeguards can include:

• Always lock your devices when you’re away.
• Decrease the visibility of your ecran to other passengers and use a privacy filter.
• Pay attention while using public Wi-Fi.
• Do not memorise your credentials or other data in the browser.
• Protect your passwords with dedicated tools.
• Stay vigilant against phishing attempts, etc.

The post Data protection digest 3-17 July 2025: AI-generated voice and visuals’ potential to violate people’s rights and freedoms appeared first on TechGDPR.

Legal processes

New rules on GDPR fines: New rules, issued by the EDPB, are now in effect for calculating fines for companies that violate the GDPR. All privacy supervisors in the EU will calculate the size of fines in the same way. The size and turnover of a company will play a major role. Companies can find in the guidelines which amount is used as a starting point for calculating the fine for a particular violation and the severity level for a company of their size. 

US State legislation: More state privacy laws have joined the ranks of those in the US enacting such legislation – Montana, Florida, and Texas. California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws in 2022, with all of them slated to go into effect in 2023. Early this year, Iowa, Indiana, and Tennessee passed their own privacy legislation, that will take effect by 2025 or 2026. In many circumstances, the new legislation compels covered entities to recognize opt-out preferences for users and to include particular disclosures in the sale of sensitive personal data or biometric data.

Foreign Surveillance: The White House is putting pressure on to reauthorize an electronic surveillance law that allows the targeted monitoring of foreign individuals. The Foreign Intelligence Surveillance Act’s Section 702 is due to sunset at the end of the year. While the program is designed to acquire information on non-Americans residing outside the US, it also collects information on their conversations with US citizens. Curbing US state surveillance practices is also a cornerstone of the future EU-US Data Privacy Framework, which is now being considered by the EU Commission for adoption. 

Official guidance

Updated BCR-C: The EDPB approved the recommendations regarding Controller Binding Corporate Rules. All data controllers using BCRs must update the rules they use to comply with the new recommendations. It clarifies, among other things, what should be included in the controller’s BCR rules, and what must be presented in the BCR application. The recommendations also include an updated standard application form for the BCRs. All users of the BCRs and those applying for approval under them must bring themselves into compliance either during the application process or as part of the annual update, depending on their situation. The EDPB is currently drafting recommendations on the BCRs for personal data processors as well.

Data subject complaints: Another form issued by the EDPB makes it easier for individuals to make complaints to data protection authorities in the EU and EEA. Its use is voluntary for data protection authorities, and they can modify the model to suit their national requirements. The form can be used in cases where a private person files a complaint, or cases where someone else files a complaint, (a legal representative or an entity acting on behalf of an individual).

Age assurance tech:  The “Future of Privacy Forum” organisation publishes infographics on age assurance technology. The analysis outlines the three categories of age assurance, their risks and advantages: a) Age declaration, (age gate, parental consent/vouching); b) Age estimation, (facial characterisation and other algorithmic estimation methods based on browsing history, voice, gait, or data points/signals); c) Age verification, (government, biometrics or digital ID). another report by the organisation looks at verifiable parental consent, a form of age declaration and requirement of the Children’s Online Privacy Protection Act, and its analyses of new children’s privacy laws in various US states.

‘Gestiona’ tool: The Spanish data protection agency has launched a new version of its Gestiona tool, aimed especially at small public or private entities,  which allows managing records of processing activities, carrying out risk management and, where appropriate, providing support for carrying out impact assessments. The tool now has a more intuitive design and incorporates the latest guidelines. The management is carried out in the user’s own browser, without data being transmitted to the regulator.. The information can be stored in a file on the user’s computer and retrieved after each session.

PETs: The UK Information Commissioner’s Office issued guidance that discusses privacy-enhancing technologies in detail. The first part of the guidance is aimed at DPOs, (data protection officers) and those with specific data protection responsibilities in larger organisations. The second part is intended for a more technical audience, and for DPOs who want to understand more detail about the types of PETs that are currently available. It gives a brief introduction to eight types of PETs and explains their risks and benefits, with reference tables and case studies. 

Case Law

‘Right to know’: The CJEU stated that every person has the right to know the date of and the reasons for the consultation of their personal data. In the related case, an employee of a bank, who was also their client, had requested information about the persons who had reviewed his customer information in connection with an internal audit. The bank had refused to disclose the identity of the employees who performed the review but disclosed the reasons and other details. The CJEU states that a person has the right to receive a ‘copy’ of information about the inquiries, such as log data, (eg, it may show the frequency of the review). However, the data subject does not have the right to receive information about the identity of the reviewer, under the authority of the data controller.

DPO’s conflict of interest: In a recent ruling, (not yet published in full), the German Federal Labour Court, (‘BAG’), has decided that the chair of a works council is not eligible to serve as DPO, Ius Laboris Law blog reports. In the case in question, following GDPR instructions, an employer twice dismissed the works council chairman as DPO as a precautionary measure. Before deciding that the revocation of the appointment had been justified, the court had referred the question to the CJEU. 

The CJEU ruled that the roles of works council chair and DPO could not be undertaken by the same individual without creating a conflict of interest. Because the works council decides the aims and means of processing personal data, (as required by applicable laws), the works council chair is unable to supervise data protection law compliance in a sufficiently independent manner. The court clearly left open the question of whether all members of the works council are barred from acting as DPO. However, the conflict of interest considerations may exist for them as well. 

Enforcement decisions

IAB Europe’s TCF update: Interactive Advertising Bureau Europe, (the European-level association for the digital marketing and advertising ecosystem), launched an updated Transparency & Consent Framework in response to industry demand and the Belgian data protection authority action plan. Among changes, the TCF includes revised purpose names and descriptions, new retention periods, the removal of the legitimate interest legal basis for advertising and content personalisation, the introduction of data categories used in conjunction with the purposes, and a more robust vendor compliance program. Participants will have until the end of the third quarter of 2023 to adopt it.

User profiling for direct marketing: The Swedish Privacy Protection Agency issued a sanction of approx. 1 mln euros against Bonnier News, because the group profiled its customers and web visitors without their consent. The company, as a stated legitimate interest, collects information from several different sources for targeted advertising on the web and marketing via physical mail and telephone sales. The data includes information about purchases made in various companies in the group and surfing behaviour. In some cases, this information is also combined with other personal data that is bought in from outside, such as information about the customer’s gender, the household’s car ownership and postcode, as well as statistical information based on the individual’s area of ​​residence such as stage of life, purchasing power and type of residence.

Facial recognition at stadiums: The Danish data protection authority reauthorized Brøndby football club’s use of facial recognition at stadiums for its matches. Brøndby will be able to use images from surveillance cameras to register individuals who violate the rules of order so that such persons can be apprehended when they subsequently try to access the stadium again. The club must ensure it observes the duty of disclosure when collecting the personal data of individuals concerned and provide information that access control is being carried out. The storage period for such data would be for 30 days or even longer. 

Personalised ads: Criteo, which specialises in “behavioural retargeting”, was fined 40 million euros in France for failing to verify an individual’s consent and the fulfilment of data subject rights. The company collects the browsing data of Internet users thanks to its cookie which is placed on their terminals when they visit certain e-commerce websites. The company determines which advertiser and which product would be most relevant to display to a particular user. Then, it participates in real-time bidding to display it. Additionally, when a person exercises their right to withdraw consent or deletion of their data, the process implemented by the company only stops the display of personalised advertisements to the user and does not delete the identifier assigned to the person or erase navigational history. 

E-mail service provider: The Finnish data protection authority has issued a notice to an e-mail service provider, as the company had not offered the user the possibility to transfer their e-mail messages from the service as required by the GDPR. Users of the free version of the e-mail service had the option to manually export their messages one at a time. Instead, customers who paid for the use of the service were offered tools that made it possible to export messages in bulk. As a rule, the registered person must receive his personal data in a structured, commonly used and machine-readable format, and the controller must not make it difficult or prevent the transfer of data, (Art. 20 of the GDPR “Right to data portability”).

Data security

Mobile device data: In an effort to assist organisations with deployment strategies, the US National Institute of Standards and Technology released a revised guide for managing the security of mobile devices in the enterprise. The publication provides a five-step enterprise mobile device deployment life cycle:

• Identify Mobile Requirements, (Bring Your Own Device or Corporate-Owned and Personally-Enabled is selected).
• Perform Risk Assessment, (performed on a regular basis).
• Implement Enterprise Mobility Strategy, (management, policies, configurations, system testing, additional security).
• Operate and Maintain, (control settings, periodic audits).
• Dispose of and/or Reuse Devices. 

Big Tech

Draft Data Act: The Council and the Parliament reached an agreement on rules to access and use data collected in the EU across all economic sectors, where the data are generated through smart objects, machines, and devices. The Data Act will provide consumers more control over their data by strengthening portability rights, interoperability standards, and safeguards against unlawful data transfers by service providers. The Data Act takes into account current horizontal and sectorial laws including the GDPR. 

It has received criticism from a variety of sources, including by the crypto industry bodies on the wide classification of smart contracts as “computer programs.” Smart contracts might potentially be constructed to provide an access control mechanism, but this would undermine the technology’s basic functions. Concerns were expressed by software businesses about a clause requiring corporations to share data that might jeopardize trade secrets. Furthermore, some scientists are concerned that the Data Act would favor companies in its goal of expanding access rights to big data, and that publicly financed science will suffer as a result.

Metaverse: Finally, the EU Parliament issued a comprehensive analysis of the Metaverse. Commercial, industrial and military applications bring both opportunities as well as significant concerns for everyday life, health, work, and security, says the paper. The metaverse can be provided by public or private actors for single users or as a networking platform. It can mirror reality, create a simulation of an entirely new space and actors , or mix both. Forecasts indicate that we are experiencing a decade of metaverse and that it will take 6 to 8 years to achieve its full potential. However, important elements of the metaverse such as digital ethics, digital twins, blockchain, generative AI, tokenization, or digital humans will start to have significant impact much earlier, (1 to 3 years and 3 to 6 years). See the full report here.

The post Data protection digest 17 June – 2 July 2023: rules on GDPR fines, controllers’ BCRs and ‘right to know’ appeared first on TechGDPR.

Who is a DPO?

According to GDPR Art. 39, the data protection officer is responsible for:

• advising the controller or processor about their obligations under the GDPR and monitoring compliance with the same;
• awareness-raising and training of staff involved in processing operations and related audits;
• cooperating with, and acting as contact point for the supervisory authority on issues relating to processing.

According to article 38.3 of the GDPR, the DPO shall report directly to the top management of the controller or processor. Article 38.3 further states that the DPO must not receive instructions from the controller or processor regarding the exercise of its statutory tasks. The DPO shall not be dismissed or penalised for performing its tasks.

Based on the foregoing, a DPO is an independent officer reporting to top-level management of an organisation and responsible for monitoring compliance with, and advising on applicable data protection laws within that organisation.

A DPO can either be a qualified individual or an organisation. According to article 37.6 of the GDPR, a DPO may fulfil its tasks on the basis of a service contract. The Article 29 Working Party (WP29) further explains that a service contract may be concluded with an organisation for DPO services. In this case, individual skills can be combined so that several individuals, working in a team, may efficiently serve their clients. Such organisations offer DPO as a service.

Does my organisation need a data protection officer?

The office of the DPO is a statutory creation. Having looked at its tasks, you might ask- do I need one? Article 37 of the GDPR states that controllers and processors shall designate a DPO. Interestingly, it provides instances where a DPO must be appointed, but not where it is not necessary to do so. According to article 37 GDPR, appointment is necessary where:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

However, GDPR Article 37.4 states that in all other instances, a organisation may voluntarily appoint a DPO or do so if required by member state law. 

Section 38 of the German Federal Data Protection Act (BDSG) provides that the controller and processor shall designate a data protection officer if:

• they constantly employ, as a rule, at least 20 persons dealing with the automated processing of personal data;
• the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679;
• they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, […] regardless of the number of persons employed in the processing. 

Misconception:

Every German business needs to appoint a DPO.

Clarification

Under the BDSG in Germany, your business must appoint a DPO if it:

• employs at least 20 persons;
• carries out the automated processing of personal data or processing subject to a data protection impact assessment;
• commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research. 

Under the GDPR, organisations need to appoint a DPO if:

• they are a public authority or body, except for courts acting in judicial capacities;
• their core activities consist of processing which require regular and systematic monitoring of data subjects on a large scale;
• their core activities consist of processing special categories of data on a large scale or personal data relating to criminal convictions and offences.

Can I appoint an employee within my organisation as DPO?

Misconception

Anyone with the relevant knowledge within my organisation can be its DPO.

Clarification

According to article 37.6 of the GDPR, the DPO may be a staff of the controller or processor. A DPO may also fulfill the task on the basis of a service  contract. However, article 38.6 states that an organisation must ensure that the duties of its DPO do not result in a conflict of interests. Article 38.3 states that the DPO shall:

• not receive instructions regarding the exercise of its tasks;
• not be dismissed or penalised for performing its tasks;
• directly report to the highest management level.

Conflict of interest

A conflict can arise where, the DPO also determines the means and purposes of the processing of personal data. For instance; a Chief Information Security Officer will often implement measures to secure data, eg. establishing access controls. Steps taken towards securing data can also qualify as processing e.g. the pseudonymisation and encryption of data. Therefore, it would create a conflict of interest where the Officer determines the means of processing, and as DPO, also has to reach a conclusion that the means of processing is  non-compliant with the GDPR.

In September, 2022, the Berlin Supervisory authority issued a fine of €525,000 to an e-commerce company. An employee in a managerial position was appointed as DPO. The company appointed a data protection officer who was to independently monitor decisions he had taken  in a different capacity. The Authority stated that a data protection officer cannot both monitor compliance with data protection law and co-decide about it. Such self-regulation contradicts the independent function of a DPO supposed to be responsible for data protection compliance within the company.

The WP29 in its Guidelines on Data Protection Officers (DPOs) states that ‘… conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’. 

Measures to avoid DPO conflict of interest within an organisation

Controllers and processors can put measures in place to avoid conflict of interest when appointing an internal DPO. The WP29 provides a list of measures in its Guidelines on DPOs; however, the list is not exhaustive. Organisations should continue to avoid conflicts of interest by any means necessary. The measures offered by the WP are that organisations should:

• identify the positions which would be incompatible with the function of DPO;
• draw up internal rules to this effect in order to avoid conflicts of interests. Drawing up rules helps management stick by them;
• include a more general explanation about conflicts of interests
• declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement;
• include safeguards in the internal rules of the organisation and ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed […]. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally

Summary

The GDPR specifically provides for the office, appointment, position, tasks and duties of a DPO. Whether or not you need one will depend on factors stated in the GDPR. It will also depend on the respective applicable national data protection laws. When appointing an employee as your DPO, it is also important to assess the possibility of a conflict of interests. Internal DPOs are more prone to conflict of interests since they are saddled with other tasks in the organisation. Organisations should be mindful of how tasks will prove incompatible with the independent oversight of the DPO.

No specific section of the GDPR deals with the liabilities of a DPO around ensuring compliance. This is because controllers and processors are liable for non-compliance at all times. Understandably, an officer who is able to execute their tasks without fear is more likely to act independently. In addition, because DPOs do not make management decisions or determine the means and purposes of processing, they could not possibly be liable for those decisions. According to the Guidelines of WP29, a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct). 

If you would rather appoint an external DPO or need help in determining whether to appoint one, contact us for a tailored assessment.

The post Misconceptions about the role of a Data Protection Officer (DPO) appeared first on TechGDPR.