The GDPR has now been in force for almost two years. A regrettable observation is that a lot of companies are not yet or not sufficiently compliant.For companies that have done all that is necessary, one of the measures has often been the appointment of a DPO or Data Protection Officer. Precisely this role of DPO still causes a great deal of uncertainty for companies. A recent decision of the Belgian Data Protection Authority (DPA) provides some clarification. Make sure that your internal DPO does not have a conflict of interest!
Internal or external DPO?
The GDPR provides the possibility to appoint a DPO both internally within your company and via an external consultant. Many companies opt for the internal version and appoint one of their staff members to take a DPO course. For example at the Data Protection Institute where our lawyers regularly act as instructors. These DPO classes are often a colourful mishmash of people from different sectors with diverse professional backgrounds. Everyone has his or her reason for attending such a training course: instructions from the employer, additional responsibility as security and/or risk manager, healthy curiosity or as a self-employed person checking what you need to do yourself, or what new opportunities lie ahead.
The advantage of having your own DPO within your company is in the first place the thorough knowledge of the organization. The choice to appoint someone internally is therefore often a no-brainer. After all, at first sight there do not seem to be many additional requirements. There are – at least for the time being – no official diplomas and de facto anyone can take up this position as long as this person meets a number of minimum requirements. The most important prerequisites are knowledge of national and European data protection laws and practices, knowledge of the company or of business processes and sufficient independence with regard to the company and with regard to data processing within the company.
But is it always a good decision to appoint one of your staff members as DPO or are there still reasons to hire an external professional?
In a decision of 28 April 2020, the Dispute Settlement Chamber of the DPA reaffirmed the independence and essential role of the DPO. The decision helps us to better assess the role, tasks and responsibilities of a DPO.
In the concerned organization, the appointed internal DPO holds a responsible position in the Compliance department, the Risk department and the Internal Audit department. Since he was Head of Internal Audit, he also had the power of decision in that capacity. According to the Dispute Settlement Chamber, there was a conflict of interest here, stressing that there is a difference between merely analysing processes and assessing the functioning of employees through internal audit, which is at odds with the position of trust held by the Data Protection Officer within the company.
In other words, the DPO (also) determines “the objectives of and the means for processing personal data” on the basis of his other functions. In this way, as DPO, he or she would not be able to independently monitor the handling of personal data and, moreover, the confidentiality and trustworthiness of his or her staff would not be sufficiently guaranteed.
The independence of the DPO and the absolute avoidance of conflicts of interest is reaffirmed by this decision with the reference to the WP29 guidelines (the former European Data Protection Advisory Body). In which is literally stated that the DPO should not hold any position that could determine the purposes and means of the processing of personal data. As a rule of thumb, positions within the organization that involve a conflict of interest are considered to be those of senior management (e.g. Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, Head of Marketing Department, Head of Human Resources or Head of IT Department). Also lower-level positions within the organizational structure if these persons are to determine the purposes and means of data processing.
The WP29 states as a good practice that every organisation depending on its activities, size and structure should:
- identify the functions that create a conflict of interest;
- to draw up internal rules for this purpose;
- include a more general explanation of conflicts of interest;
- declare that their DPO does not have a conflict of interest, as a way to sensitise others to this requirement of independence;
- include safeguards in the internal rules and ensure that the vacancy for the position of DPO or the service contract is sufficiently precise and detailed to avoid conflicts of interest.
The cost of a DPO conflict of interest: sanction by the DPA
As the DPO in question did have a conflict of interest, in addition to the corrective measure to bring itself back in line with the GDPR, an administrative fine of 50,000 euro was imposed on the organisation.
For the calculation of the fine, the Dispute Settlement Chamber took into account the processing of personal data as a core activity on a very large scale. Including personal data that may have a high degree of sensitivity for data subjects, among other things because they allow for regular and systematic observation. The duration of the infringement was also taken into account, which has been at least from its entry into force until 14 February 2020 (date of the hearing).
So an external DPO is advised?
The appointment of an internal DPO can be very useful from an organizational and financial point of view, but is not without risk. It’s difficult to speak of sufficient independence in an internal relationship. Indepence in this sense is the exclusion of a conflict of interest. If you employ an employee, the employer-employee relationship of authority will continue to play a role anyway. A mere ‘paper’ DPO is contrary to the GDPR, given the essential tasks that the DPO must be able to perform. An independent DPO who dares to go radically against the policy lines of the employer, risks sanctions in the long run. Such as missing out on promotions or even dismissal. True enough, this dismissal is subject to social protection, but it can never be ruled out that in reality there will be creative ways of circumventing this. On the other hand, even if the appointment of an internal DPO is no longer subject to the relationship of authority, the usual positions are still in the business of being able to determine the objectives of and means for the personal data.
It is therefore recommended to appoint an external DPO or at least an external supporting DPO service. Independence will be better guaranteed and the risk of conflicts of interest can be minimised. Moreover, you have the possibility to address profiles that meet all the criteria for a DPO:
- Level of expertise depending on the sensitivity and complexity of the data;
- Professional qualities: thorough knowledge of data protection legislation and practices. This requires a strong legal profile for a correct analysis;
- Ability to perform its duties: demonstrating integrity and professional ethics.
The DPO lawyer as an absolute guarantee
Not surprisingly, lawyers have the possibility to act (exclusively) as an external DPO. The professional requirements of a DPO are fully in line with the deontological obligations a lawyer has to follow. Article 1 of the Deontology Codex literally says: “An attorney at law practises his profession in an expert manner while respecting professional secrecy, the essential duties of independence and partiality, and avoiding conflicts of interest. He respects the principles of dignity, honesty and discretion that underlie the profession“.
Let it be precisely the DPO principles of expertise, integrity, confidentiality, independence and the avoidance of conflicts of interest which, moreover, are guaranteed by disciplinary rules. The Codex explicitly provides that the disciplinary rules continue to apply when the attorney at law acts as DPO. The DPO attorney at law is thus subject to his own supervisory body.
Moreover, lawyers are obliged to be insured for their liability, even when they act as DPO.
Sirius Legal as DPO?
At Sirius Legal we have been acting as an external DPO for our clients since the GDPR came into force.
Sirius Legal gathers lawyers who have been dealing with data protection expertly for many years, acting as external DPOs as well as providing support to internal DPOs in writing independent and well-founded advice.
Our team consists of several trained DPOs and we have been teaching future DPOs for more than 2 years through Data Protection Institute.
Feel free to take a look at our DPO services page.
In addition to ad hoc DPO assignments and assistance to internal DPOs you can also rely on Sirius Legal for a number of specific data protection services:
- Crisis management for data breaches;
- Data Protection Impact Assessments for new services or new processes;
- Entire GDPR compliance trajectories;
- Specific GDPR compliance exercises for marketing- or HR-departments or for webshops and webplatforms;
- Aid for data exchange and export;
- Fixed representation in the EU for non-EU responsible people;