In-house DPOs: Belgian Authority clarifies expectations on conflicts of interest

By Vincent Rezzouk-Hammachi, Benoit Van Asbroeck, Ruth Boardman, Alex Willan, Sara Jameel

06-2020

In a decision dated 28 April 2020, the Belgian Data Protection Authority imposed an administrative fine of EUR 50,000 on a telecom services provider for having appointed as its Data Protection Officer its existing Director for Audit, Risk and Compliance; considering that the combination of roles was a serious breach of Article 38 of the GDPR.

For many organisations, the thorny issue of whether a Data Protection Officer (“DPO”) can also have another role in the organisation  has been a complex puzzle to solve since the General Data Protection Regulation (“the GDPR”) came into force. Whilst a similar DPO function existed in some national legislation pre- GDPR, organisations tend to struggle to identify who should act as a DPO when they decide to appoint one internally.

From our experience, the main hurdle which organisations face is in complying with Article 38(6) of the GDPR, which provides:

“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” (emphasis added)

A decision on 28 April 2020 from the litigation chamber of the Belgian Data Protection Authority (“the Litigation Chamber” or “the GBA”) (the "Belgian DPO Decision") provides a practical insight on how regulators may understand this requirement. Here, the GBA imposed an administrative fine of EUR 50,000 on a telecom services provider (“the Defendant”), for having appointed their Director for Audit, Risk and Compliance as their DPO, considering that the combination of roles was a serious breach of Article 38 of the GDPR.

Guidance up to this decision

Until the Belgian DPO Decision, there was very little indication on how to interpret the no-conflict requirement:

  • In 2016, the Bavarian State Office for Data Protection Supervision (“the BayLDA”) [1] ruled that the position of IT Manager of a company was incompatible with the duties of a DPO under the then German data protection law (“the BayLDA Decision”).
  • Later in 2016, the Working Party 29 issued guidelines on DPOs (the “Guidelines on DPOs”), which were revised in 201[2], specifically addressing GDPR requirements. Regarding conflicts of interest, the Guidelines on DPOs state that:

the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” (emphasis added)

This is because such a scenario would lead the DPO to a situation of conflict of interests, which may mean that the DPO could not carry out his or her role effectively, because s/ he would be asked to scrutinise processing in respect of which s/he had taken key decisions.

  • In a decision dated 28 May 2019[3], the GBA considered that the DPO should not take the decision to delete data at the request of an individual but should only advise the data controller to do so. At this time, the GBA decided to warn the Defendant without imposing any sanction.

The Belgian DPO Decision

In this case, the Defendant experienced a personal data breach which came to the GBA's attention. In the context of the subsequent inquiry, the investigation chamber of the GBA (the “Investigation Chamber”) noted that:

  1. the DPO did not seem to be sufficiently involved in the process of assessing the risk of personal data breaches (the "Level of Involvement Argument"); and 
  2. the DPO was also acting as the Director of Compliance, Risk and Audit for the Defendant, which placed them in a position of conflict of interest (the "Conflict of Interest Argument").

Though this decision can be appealed and only reflects the position of one regulator, the parties' submissions in the proceedings on these two arguments and the resulting decision of the GBA's Litigation Chamber bring some clarifications about the DPO role. We have summarised this, in the tables below.

 
 (1) Level of Involvement Argument
 GBA's Investigation Chamber  Defendant
  • Article 38(1) of the GDPR requires the DPO to be properly involved in a timely manner with respect to all matters related to the protection of personal data.
  • In the Investigation Chamber’s view, Article 38(1) was breached in that the Investigation Chamber:
    • noted that the DPO was only informed of the outcome of the risk assessment; and
    • insisted that the DPO’s opinion was not included in the template of assessment form
  • No GDPR provision should be interpreted as requiring an organisation to consult with the DPO – the provisions of information provided to the DPO should be deemed sufficient to comply with Article 38 of the GDPR.

  • The DPO was sufficiently involved in this case, because they were informed of the outcome of the risk assessment

 

 

 GBA's Litigation Chamber decision

  • The DPO should be involved in all data protection matters as early as possible, in line with Guidelines on DPOs. This means that the DPO should be informed and, most importantly consulted. The mere information of the DPO at the end of a data protection related process is not sufficient to meet the GDPR requirement. The DPO should not be involved in the final decision, after the assessment has been made.

  • On the facts, after assessing the actual level of engagement of the DPO, the Defendant’s process is compliant with the GDPR. The GBA considered the DPO was consulted in practice, though it did not clearly stand out from the documented processes communicated to the Investigation Chamber.
 

 

 (2) Conflict of Interest Argument 
 GBA's Investigation Chamber  Defendant
  • The DPO was not free from conflicts by virtue of  also holding the function of Director of Compliance, Risk and Audit - this role involved significant operational responsibility for data processing activities under the domain of audit, risk and compliance. 
  • The role of Director of Compliance, Risk and Audit was only an advisory role and did not involve the Director in taking decisions. 

 GBA's Litigation Chamber decision

  • The Director of Compliance, Risk and Audit was the manager of three departments, and as such defined the purposes and the means of the processing of personal data of these business functions. 

  • The GBA seemed to consider that, by default, any manager of a business department is led to define such means and purposes, which should therefore exclude them from acting as a DPO for the same organisation. This is because it could leave the DPO being asked to monitor data protection compliance of three departments for which they also define the purposes and means of personal data processing. 

  • The GBA also noted that the fact that the DPO was also the head of these other departments could also pose a risk to the duty of confidentiality, which the DPO owes to data subjects.

Breaching DPO independence requirements – the consequences 

In application of Article83(4) of the GDPR, an infringement of the provisions of Article 38 of the GDPR can be subject administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

In the case of the Belgian DPO Decision, the latest worldwide annual turnover declared by the Defendant was EUR 3,886,699,793.

In determining the amount of the fine, the GBA relied on the following 3 criteria:

(i) The availability of guidelines from Working Party 29 on the DPOs, which includes details regarding the requirements in terms of conflict of interests ;

(ii) The nature of the Defendant’s business;

a. The level of maturity of such an organisation (major telecom provider);

b. The amount of personal data processed, and therefore the increased amount of individuals subject to a risk of non-compliance;

(iii) The duration of the breach of Article 38(6) of the GDPR, provided that the Defendant had not changed their DPO before the hearing. 

Based on these criteria, the GBA imposed an administrative fine of EUR 50,000. The GBA also clearly stated that they impose the fine in order to “vigorously” enforce the GDPR.

The decision may still be appealed, and it reflects the position of the Belgian data protection authority only. However, given the rationale mainly relies on the Guidelines on DPOs, we believe that organisations should consider the key takeaways.

Key takeaways

 Key takeaways for organisations
 Involving the DPO
 
  • The DPO must be consulted in all data protection related matters, not only informed. This means that the DPO must have an opportunity to be involved early in processes related to data protection matters, and that they should have the opportunity to give their opinion.
  • Organisations should ensure that all their processes are documented, and that they can explicitly demonstrate that the DPO is consulted at the outset of data protection matters. The lack of documentation regarding the level of engagement of the DPO in data breach related processes drew the Investigation Chamber’s attention and was a factor in the decision to defer the case to the Litigation Chamber. .
  • In the context of a risk assessment of a personal data breach, the DPO should be able to undertake their own risk assessment (or provide their views on the one undertaken by management teams) before a final decision is sought.

 

Conflict of interest

  • Organisations should refrain from appointing DPOs who have other roles in other departments where they have responsibility for decisions relating to purposes and means of personal data processing in that department. It may mean that:

(i) DPOs who head or manage departments are likely to be in a situation of conflict of interest;

(ii) More junior personnel in another department may be less likely to have this risk (but this cannot be assumed). Although the decision does raise this possibility, appointing a more junior member of staff from a non-privacy department may raise other difficulties – in particular, it may then be harder to show that the person is independent and does not receive instructions as to how to perform the role; qualifications and reporting to the highest management may also be harder to secure;

(iii) Conflicting roles may include IT managers, General Counsel, Head of Compliance, Head of Audit, Head of Finance, Head of Marketing, Head of HR or – based on this decision - any other head of a department involving the processing of personal data.

  • There was some discussion in the decision of the use of Conflicts of Interest policies, whereby an appointed DPO would recuse him or herself from a matter affecting his or her own department. This did not end up forming part of the decision – but could be a useful avenue to explore.
  • Another solution is to hire a dedicated in-house DPO, or opt for an external company and outsource the Data Protection Officer function (DPO as a service).
 

[1] https://www.lda.bayern.de/media/pm2016_08.pdf (From the press release published on 20 October 2016 by the BayLDA, only available in German)

[2] Working Party 29, Guidelines on Data Protection Officers ('DPOs') (wp243rev.01): http://ec.europa.eu/newsroom/document.cfm?doc_id=44100 

[3] https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Be04-2019ANO_FR.pdf (only available in French)