Clinic

Kirjeldus

The DPA from Berlin has imposed a fine on a clinic. The clinic had appointed the clinic manager, who was also a shareholder of the clinic, as the data protection officer. A data protection officer may perform other tasks and duties, but the company must ensure that other tasks and duties do not lead to a conflict of interest. In the present case, however, there was such a conflict of interest. On the one hand, the clinic manager had to make economic decisions in his executive position, and on the other hand, he had to monitor the clinic's compliance with data protection law. The DPA also noted that such a dual role carries the risk that patients and employees would be hesitant to seek the assistance of the data protection officer, also the hospital director, with critical questions about the processing of personal data.