In a decision dated 28 April 2020, the Belgian Data Protection Authority imposed an administrative fine of EUR 50,000 on a telecom services provider for having appointed as its Data Protection Officer its existing Director for Audit, Risk and Compliance; considering that the combination of roles was a serious breach of Article 38 of the GDPR.
For many organisations, the thorny issue of whether a Data Protection Officer (“DPO”) can also have another role in the organisation has been a complex puzzle to solve since the General Data Protection Regulation (“the GDPR”) came into force. Whilst a similar DPO function existed in some national legislation pre- GDPR, organisations tend to struggle to identify who should act as a DPO when they decide to appoint one internally.
From our experience, the main hurdle which organisations face is in complying with Article 38(6) of the GDPR, which provides:
“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” (emphasis added)
A decision on 28 April 2020 from the litigation chamber of the Belgian Data Protection Authority (“the Litigation Chamber” or “the GBA”) (the "Belgian DPO Decision") provides a practical insight on how regulators may understand this requirement. Here, the GBA imposed an administrative fine of EUR 50,000 on a telecom services provider (“the Defendant”), for having appointed their Director for Audit, Risk and Compliance as their DPO, considering that the combination of roles was a serious breach of Article 38 of the GDPR.
Guidance up to this decision
Until the Belgian DPO Decision, there was very little indication on how to interpret the no-conflict requirement:
- In 2016, the Bavarian State Office for Data Protection Supervision (“the BayLDA”)  ruled that the position of IT Manager of a company was incompatible with the duties of a DPO under the then German data protection law (“the BayLDA Decision”).
- Later in 2016, the Working Party 29 issued guidelines on DPOs (the “Guidelines on DPOs”), which were revised in 201, specifically addressing GDPR requirements. Regarding conflicts of interest, the Guidelines on DPOs state that:
“the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” (emphasis added)
This is because such a scenario would lead the DPO to a situation of conflict of interests, which may mean that the DPO could not carry out his or her role effectively, because s/ he would be asked to scrutinise processing in respect of which s/he had taken key decisions.
- In a decision dated 28 May 2019, the GBA considered that the DPO should not take the decision to delete data at the request of an individual but should only advise the data controller to do so. At this time, the GBA decided to warn the Defendant without imposing any sanction.
The Belgian DPO Decision
In this case, the Defendant experienced a personal data breach which came to the GBA's attention. In the context of the subsequent inquiry, the investigation chamber of the GBA (the “Investigation Chamber”) noted that:
- the DPO did not seem to be sufficiently involved in the process of assessing the risk of personal data breaches (the "Level of Involvement Argument"); and
- the DPO was also acting as the Director of Compliance, Risk and Audit for the Defendant, which placed them in a position of conflict of interest (the "Conflict of Interest Argument").
Though this decision can be appealed and only reflects the position of one regulator, the parties' submissions in the proceedings on these two arguments and the resulting decision of the GBA's Litigation Chamber bring some clarifications about the DPO role. We have summarised this, in the tables below.
Breaching DPO independence requirements – the consequences
In application of Article83(4) of the GDPR, an infringement of the provisions of Article 38 of the GDPR can be subject administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In the case of the Belgian DPO Decision, the latest worldwide annual turnover declared by the Defendant was EUR 3,886,699,793.
In determining the amount of the fine, the GBA relied on the following 3 criteria:
(i) The availability of guidelines from Working Party 29 on the DPOs, which includes details regarding the requirements in terms of conflict of interests ;
(ii) The nature of the Defendant’s business;
a. The level of maturity of such an organisation (major telecom provider);
b. The amount of personal data processed, and therefore the increased amount of individuals subject to a risk of non-compliance;
(iii) The duration of the breach of Article 38(6) of the GDPR, provided that the Defendant had not changed their DPO before the hearing.
Based on these criteria, the GBA imposed an administrative fine of EUR 50,000. The GBA also clearly stated that they impose the fine in order to “vigorously” enforce the GDPR.
The decision may still be appealed, and it reflects the position of the Belgian data protection authority only. However, given the rationale mainly relies on the Guidelines on DPOs, we believe that organisations should consider the key takeaways.
Involving the DPO
Conflict of interest
(i) DPOs who head or manage departments are likely to be in a situation of conflict of interest;
(ii) More junior personnel in another department may be less likely to have this risk (but this cannot be assumed). Although the decision does raise this possibility, appointing a more junior member of staff from a non-privacy department may raise other difficulties – in particular, it may then be harder to show that the person is independent and does not receive instructions as to how to perform the role; qualifications and reporting to the highest management may also be harder to secure;
(iii) Conflicting roles may include IT managers, General Counsel, Head of Compliance, Head of Audit, Head of Finance, Head of Marketing, Head of HR or – based on this decision - any other head of a department involving the processing of personal data.