Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO). This decision should cause entities to reconsider appointing a DPO who holds another senior role in the organization.

Article 38.6 of the EU’s General Data Protection Regulation (GDPR) allows that a DPO may fulfill other tasks and duties assigned by an organization, provided such duties do not result in a conflict of interest. Since the GDPR came into effect in May 2018, we have seen limited regulatory enforcement focused on the DPO’s role. The Belgian DPA’s fine complicates this landscape and highlights key considerations for organizations with respect to the appointment of a DPO.

Perhaps it is not surprising that Germany was the first to bring an enforcement action relating to DPOs, given that the German Federal Data Protection Act required the appointment of a DPO for most German organizations years prior to the GDPR’s implementation. At the end of 2019, the federal German DPA (BfDI) fined a telecommunications provider €10,000 for repeatedly failing to appoint a DPO despite multiple requests from the German DPA. In this instance, the fine was substantially smaller than it might otherwise have been because the entity was considered a microenterprise – a business with fewer than 10 employees and less than €2 million in either revenue or total assets.

Also last year, an individual complained to the DPA in the German state of Hamburg about a social media company’s failure to identify a DPO for its German subsidiary. The result was a fine of €51,000 – not for failure to appoint a DPO, but because the Hamburg DPA was not appropriately notified in accordance with GDPR Article 37.7, which requires both the publication of the DPO’s contact details and communication of those details to the relevant supervisory authority. According to the Hamburg DPA’s statement, this fine would have been higher if the social media company had not been as cooperative and professional in its interactions with the DPA. In its summary, the Hamburg DPA indicated that the fine should be a clear warning to other organizations that designating a DPO and communicating that appointment to the appropriate supervisory authority are serious obligations under the GDPR.

The Belgian DPA’s recent fine further illustrates the importance of selecting the right DPO. Although the investigation was triggered by a personal data breach at the organization, the Belgian DPA alleged several other points of noncompliance with the GDPR, including:

1. The organization failed to cooperate with the Belgian DPA in accordance with GDPR Article 31 and lacked accountability for the principles related to personal data processing as required by GDPR Article 5.2.
2. The organization’s DPO was not sufficiently involved in discussions of personal data protection to comply with GDPR Article 38.1, which requires the DPO to be involved, properly and in a timely manner, in all issues related to personal data protection. Specifically, the DPO was only informed of the outcomes of risk assessments and not consulted during the process.
3. Because the organization’s DPO also served as head of compliance, risk and audit, the DPO was not sufficiently free from conflicts of interest as required by GDPR Article 38.6, which allows that the DPO may assume other tasks and duties if those do not result in a conflict of interest.

The defending organization challenged these findings, and the Belgian DPA’s Litigation Chamber (the Chamber) ultimately agreed with the defendant on the first two points. The Chamber first held that the organization’s replies throughout the investigation indicated both accountability and cooperation. It further held that in practice a DPO’s role is to provide advice and assistance as an adviser, and the DPO was in fact involved during the risk assessment process and independently analyzed privacy risks before the organization made final decisions.

On the third point, alleging a conflict of interest, the defending organization argued that the DPO’s additional responsibilities as head of compliance, risk and audit were advisory only and did not allow him to make decisions about the purposes and means of personal data processing. The DPA disagreed, arguing that the DPO did more than advise, as his audit role involved significant operational oversight for various types of data processing. The DPA also explained that the existence of a conflict of interest is not only limited to instances where the DPO also determines the purpose and means of the processing. Rather, conflicts of interest must always be assessed on a case-by-case basis.

Notably, the DPA highlighted that the organization had not implemented a policy defining the DPO’s role until at least July 2019. Although such a policy had been prepared, the DPA indicated that such preparation alone was not enough to demonstrate the DPO’s independence.

Here, the Belgian DPA’s Litigation Chamber agreed with the DPA. The Chamber was concerned with the compatibility of the DPO role and the internal audit role. As head of audit, the DPO had decision-making powers to assess processes and employee performance, which the Chamber found conflicted with the DPO’s confidentiality requirements under GDPR Article 38.5. The Chamber raised concerns that the accumulation of the functions in one individual might lead to insufficient employee confidentiality. The Chamber determined that the responsibilities assigned to the DPO as head of compliance, risk and audit undeniably indicated that the DPO would be determining the purposes and means of the processing of personal data within those three departments. Citing the Article 29 Working Party’s DPO guidelines, the Chamber explained that the DPO cannot function independently where he or she determines the purposes and means of the processing of personal data, as this presents a material conflict of interest; accordingly, a department head role cannot be reconciled with the DPO position, as the DPO must be able to carry out his or her duties independently.

Although the Chamber ultimately found that the defending organization did not intentionally violate the GDPR, it explained that the fine imposed was appropriate due to the organization’s serious negligence in combining these roles. It noted that the DPO concept is not new; it previously existed in many Member States, and the Article 29 Working Party’s DPO guidelines are several years old. The Chamber imposed the fine for the duration of the infringement, dating back to May 25, 2018, when the GDPR went into effect. The organization also must align its DPO appointment with the GDPR by resolving the conflict of interest within three months. The Chamber’s holding may still be appealed.

Takeaways

• As is frequently the case, fines often follow other events that bring an organization to the regulator’s attention. Whether the initial trigger is an individual’s complaint or the reporting of a personal data breach, the DPA’s investigation may delve into other aspects of an organization’s GDPR compliance.
• Organizations should ensure that a DPO is appointed when required and that the DPO appointment is clearly communicated to the relevant authorities. If a DPO is not appointed, the organization should document the analysis underlying its decision-making process.
• It may be appropriate to revisit the company’s DPO appointment decision in light of the additional considerations raised by these enforcement actions. The Article 29 Working Party’s DPO guidelines advise that DPOs cannot also hold “senior management positions (such as chief executive, chief operating, chief financial, chief medical officers, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down” in the organization if those roles lead to the DPO determining the purposes and means of processing personal data. An enforcement action by the German state of Bavaria’s DPA predating the GDPR found a conflict of interest where a DPO also held a role as an IT manager. This recent Belgian decision would seem to expand on the Working Party’s guidelines to include all department heads, further shrinking the pool of potential dual roles for DPOs within an organization. This could present unique challenges for smaller entities without the staff or means to appoint a full-time DPO.

Regardless of who ultimately is appointed as DPO, the Belgian DPA’s action shows that organizations should implement a clear written policy that provides structure for the role, articulates the DPO’s required independence and prevents conflicts of interest, especially if the DPO will be performing other duties or taking on additional roles.