On April 28, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €50,000 fine on a company for non-compliance with the requirements under the General Data Protection Regulation (“GDPR”) related to the appointment of a data protection officer (“DPO”).

Following the notification of a data breach, the Belgian DPA started an investigation into the notifying company’s data protection practices and privacy program. The investigation focused on three alleged infringements of the GDPR, in particular, (1) the duty to cooperate with the DPA, (2) the accountability obligations (including with respect to data breach notification-related risk assessments), and (3) the requirements related to the position of the company’s DPO.

In its decision, the Litigation Chamber of the Belgian DPA only upheld the alleged infringement of the GDPR’s DPO requirements (in particular Article 38(6) of the GDPR), arguing that by appointing the Head of the Compliance, Risk Management and Audit department as DPO, the company had failed to comply with its obligation to ensure that its DPO is free from any conflict of interest. In particular, the Belgian DPA’s Litigation Chamber indicated in its decision that:

  • If the DPO, as Head of the Internal Audit department, has decision-making power with respect to the dismissal of employees, this is not compatible with the DPO’s role as a confidential advisor for data protection-related matters.
  • The fact that the departments for which the person acting as the company’s DPO heads (i.e., the Compliance, Risk Management and Audit department) fulfill an independent and advisory role in relation to the other business departments and, as such, do not have decision-making powers with respect to the company’s data processing activities does not necessarily mean that the individual’s tasks as Head of these departments are compatible with his tasks as the company’s DPO.
  • In their capacity as head of the Compliance, Risk Management and Audit departments, the person appointed as the company’s DPO determines the purposes and means of the processing of personal data taking place in the context of these departments and, therefore, is responsible for these data processing activities.

In light of this, the Litigation Chamber of the Belgian DPA concludes that combining the role of department Head with the role of DPO gives rise to a significant conflict of interest. In the case at hand, the Belgian DPA maintains that due to the combination of roles, there is a complete lack of independent DPO oversight concerning the data processing activities taking place in the context of the Compliance, Risk Management and Audit departments. In addition, the Belgian DPA indicates that, due to his dual role, the DPO may not be able to provide sufficient guarantees to the concerned employees in terms of confidentiality and secrecy.

In light of the above…

Read The Full Article

Leave a Reply

Check Also

IAB Europe’s advertising bidding model uses personal data, EU court rules

After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…