In a decision of April 28, 2020, the Belgian Data Protection Authority (DPA) imposed a fine of €50,000 in a case where a data protection officer (DPO) also performed an incompatible function. According to the DPA, a DPO cannot hold a (managerial) position within the organization in which he or she can determine the purpose and/or means of the processing of personal data.
However, almost exactly one year later, in a decision of April 26, 2021, the DPA seems to have adopted a more pragmatic approach on the functions performed by a DPO within an organization.
Below are the most important takeaways of both decisions.
Initial position of the DPA: very strict delineation
The 2020 case was brought before the DPA following a data breach notification. When investigating the data breach, the DPA discovered the conflict of interest of the DPO, who was also acting as the director responsible for audit, risk and compliance within the company.
In accordance with article 38.6 GDPR, the DPO may fulfil other tasks and duties, but the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interest”.
While a conflict of interest must be evaluated on a case-by-case basis within the structure of the specific organization, the DPA refers to the Guidelines of the Article 29 Working Party adopted on December 13, 2016, on Data Protection Officers (as amended). The Guidelines establish that the tasks and duties of a DPO must not result in a conflict of interest, meaning that the DPO cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data. Unacceptable functions may include:
- Formal approach: senior management positions such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of human resources or head of IT departments;
- Functional approach: roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing.
In addition, the DPA adds that a conflict of interests may also arise if an external DPO is asked to represent the controller or processor before the courts in cases involving data protection issues.
The DPA decided that by combining the function of DPO and director responsible for audit, risk and compliance within the company, this inevitably entails that this person determines the purpose and means for the processing of personal data and that no independent supervision was possible. The combination thus represented a clear conflict of interest (formal approach).
DPA changes course: new insights following a decision of April 26, 2021
The previous decision was widely commented and criticized, especially the finding that the function of the head of a department is almost by definition incompatible with the role of DPO due to lack of independent supervision, even when the latter would have a de facto advisory function.
In its 2021 decision, the DPA accepted that the DPO role could be combined with a role as chief information security officer (“CISO”) and has taken a more functional approach overall, i.e.:
- The CISO performs risk analyses – as head of the department – and presents suggested mitigations measures to the management.
- Management decides whether or not to adopt the suggested measures;
- Security measures are not within the scope of the function of the CISO.
With this decision, the DPA has taken a more functional approach to conflicts of interest of leading individuals / managers as DPO within their organizations. Notwithstanding the foregoing, it is advisable to keep the following rules of thumb in mind:
- Identify the positions that could be incompatible with the function of DPO (formal and functional approach);
- Draw up internal rules in order to avoid conflicts of interests;
- Explain to your entire organization that the DPO has no conflict of interests with regard to their function as a DPO, as a way of raising awareness of this requirement;
- Ensure that the job description of the DPO is sufficiently specified and detailed, even if this position is normally filled internally.