The Litigation Chamber of the Belgian Data Protection Authority (DPA) imposed an administrative fine of 50,000 EUR on a Company for an infringement of Article 38.6 of the General Data Protection Regulation (GDPR) in April 2020.
Article 38.6 of the GDPR stipulates that “The Data Protection Officer (DPO) may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.”
The DPA argued that in this case, the DPO assumed the responsibility for three departments as the Head of Compliance, Risk Management, and Internal Audit. In deciding whether there was a conflict of interests, the DPA assessed the following:
- Whether the DPO in their capacity as the Head of these three departments had the responsibility to determine the purposes and means of processing of personal data within these three departments. The DPA considered the element of ‘control’ and ‘decision making powers’ by such a role in their leading function within a company.
- Whether the DPO in their capacity as the Head of the three departments had significant and important operational responsibility for the data processing processes that fell within the domain of audit, risk and compliance.
- Whether the Company had implemented an internal policy to prevent conflict of interests.
The DPA concluded that the role of the Head of Compliance, Risk Management, and Internal Audit could not be reconciled with the position of the DPO, who must be able to carry out their duties independently. The DPA concluded there was a material conflict of interest in this case.
The Company also failed to demonstrate in a satisfactory manner that their DPO was acting independently by establishing adequate policy, therefore being in breach of Article 38.6 of the GDPR.
The DPA considered the following factors in deliberating on the amount of fine to be imposed:
- Negligence by the Company – The DPA found the negligence to be ‘serious’ due to the nature of the business of the Company which involved the processing of sensitive personal data on a very large scale;
- The position of the DPO not being totally new, reason being it has existed in European Member States for a long time prior to the advent of the GDPR;
- DPO Guidelines being issued by the former Article29 Working Party which in its opinion, are clear on the extent in which the DPO may also perform other functions within a company, taking into account the organisational structure specific to each organisation, which must be assessed on a case by case basis;
- The duration of the infringement, being from 25 May 2018 until the date of the hearing (14 February 2020).
This decision may well be challenged by an appeal, but the DPA raises interesting and useful points which you need to consider for your organisation now:
- Assess whether your DPO has responsibilities which may be incompatible with their function
- Work on an internal policy which aims to prevent conflict of interests
- Assess the role of your DPO against this policy to verify any potential conflict of interests
- Where there is no conflict of interests, document your position and justification
- Where there may be conflict of interests, take appropriate measures. This could involve:
- Removing the non-DPO tasks assigned to your DPO;
- Designating another staff member who is able to act independently, bearing in mind that this person must be chosen on the basis of their ‘professional qualities’ and ‘expert knowledge of data protection law’, or;
- Outsourcing the role of the DPO to an independent service provider which is permitted under Article 37.6. of the GDPR.