Report on Supply Chain Compliance 3, no. 11 (May 28, 2020)
The Belgian Data Protection Authority (DPA) imposed a fine of EUR 50,000 for noncompliance with the GDPR conflict of interest requirement. According to an analysis by Cordery Compliance:
The Belgian DPA decided that although the [organization’s data protection officer (DPO)] had been sufficiently involved in the data protection processes referred to in this matter…, by appointing as DPO the person who was the director of the separate compliance, risk management and audit departments, the organisation was non-compliant with the requirement to ensure that its DPO had no conflicts of interest. According to the Belgian DPA, there was no possibility of independent supervision by the DPO of each of these three departments, and the accumulation of these functions could lead to insufficient guarantees of secrecy and confidentiality towards employees….
The major takeaway is that companies should ensure to appoint an independent DPO that is not also the head of another department. A few other pointers are:
Either check and update an existing list or job description and role profile or create a new document that sets out the DPO’s duties, tasks and responsibilities;
Review the relationship between the DPO and senior management;
Determine whether there are any possible current or future conflicts of interest. If this seems to be the case, consider reassigning some of the DPO’s roles and responsibilities; and
Check local law requirements concerning DPOs—Germany is an example of a jurisdiction that has some specific requirements with regard to DPOs.
1 Jonathan Armstrong and André Bywater, “Belgian Regulator Imposes Euro 50,000 Fine for Non-Compliance with Data Protection Officer GDPR Requirements,” Cordery Compliance, May 19, 2020, https://bit.ly/3e5TCSh.