In a recent judgment of April 26, 2021, the Belgian Data Protection Authority (“DPA”) fined a financial institution (the “Company”) €100,000 for – amongst other things – failure to provide an adequate level of cybersecurity. This is the second highest fine to date and should serve as a huge warning for all companies: The return on investment in cybersecurity is worth your while!
Additionally, the DPA adopted a more functional approach on combining the role of data protection officer (“DPO”) with other leading functions within a company. A lot to cover!
The case started with a complaint from a former spouse (“Complainant”) against the Company, as employer of her ex-husband. During the process of liquidating their joint estate, the ex-husband had used his access to the Central Individual Credit Register (“CICR”) of the National Bank of Belgium to research the personal/financial data of his former spouse 20 times over the course of two years. This occurred without any processing ground, as the Complainant did not have an open credit file with the Company.
Access of the Company to the CICR was organised as a two prong system, where an individual logging system was in place for employees who visited the CICR, which was not the case for the five managers accessing it. Managers, such as the ex-husband, could visit the CICR without any record, and by using a single login and password.
2. Lack of adequate cybersecurity is a breach of the GDPR
The first and main issue at the heart of the decision was the lack of traceability of people/managers accessing the CICR. Since processing financial data is rather sensitive, even when it is not strictly recognised as such under the GDPR, the DPA was of the opinion that the absence of an adequate logging system was a violation of article 32 GDPR, i.e., of the need to put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk, even when the lack of adequate protection was unintentional.
Furthermore, the DPA considered that the absence of this logging system impeded the exercise of the data subject’s rights, e.g. the Complainant could not get a definitive and comprehensive answer to how her data was processed, which violated her right to access her personal data under article 15 GDPR.
3. New insights on the role of the DPO
Additionally and interestingly, the DPO also decided on the compatibility of the function of the DPO with leading – advisory – functions, which shed a new light on a previous DPA decision.
One year ago, in its decision of April 28, 2020, the DPA imposed a fine of €50,000 for a DPO who combined the function of DPO with a leading position within the company. This decision was widely commented and criticized, especially the aspect that the function of head of a department is almost by definition incompatible with the role of DPO due to lack of independent supervision, even when the latter would have a de facto advisory function, i.e. a more formal approach was adopted by the DPA.
In the decision of April 26, 2021, and based on the facts at hand, the DPA seems to have taken a more functional approach to the incompatibility of the function of the DPO with that of Chief Information Security Officer (“CISO”) when deciding that:
- The CISO performed risk analyses, i.e. an advisory function – as head of the department – and presented suggested mitigations measures to the management;
- It was up to the management to decide whether or not to adopt the suggested measures;
- Security measures were not within the scope of the function of the CISO, but of the operational IT department.
Notwithstanding the foregoing, it remains unclear whether the DPA has completely abandoned the formal approach to the incompatibility of the DPO with high managerial functions.
4. Key takeaways
a. ROI of cybersecurity measures increases with this decision
ASSESS YOUR CYBERSECURITY. An important general takeaway for companies is to carefully (re)assess the cybersecurity system, not only from a technical but also an organizational perspective. While some aspects and measures are not explicitly mentioned in legal doctrine (e.g. the requirement of a logging system for each user specifically), they are necessary to comply with other obligations such as the right of the data subject. Additionally removing the individual logging data too late, with the intention of adequately complying with the data subject’s access, could very well be at odds with the ‘data minimization’ principle. A careful balance needs to be struck.
LACK OF CYBERSECURITY AND CRIMINAL OFFENCES. It is also important to note that a lack of cybersecurity can lead to criminal sanctions, e.g. access by an authorized user for unauthorized purposes can amount to “abuse of confidence” under criminal law.
b. Combining the function of DPO
While the DPA has taken a more functional approach to conflicts of interest of leading individuals / managers as DPO within the organization, it is advisable to keep the following rules of thumb in mind:
- Identify the positions that could be incompatible with the function of DPO (formal and functional approach);
- Draw up internal rules in order to avoid conflicts of interests;
- Explain to your entire organization that the DPO has no conflict of interests with regard to their function as a DPO, as a way of raising awareness of this requirement;
- Ensure that the job description of the DPO is sufficiently specified and detailed, even if this position is normally filled internally.