In a decision dated 28 April 2020, the Belgian Data Protection Authority imposed an administrative fine of EUR 50,000 on a telecom services provider for having appointed as its Data Protection Officer its existing Director for Audit, Risk and Compliance; considering that the combination of roles was a serious breach of Article 38 of the GDPR.
For many organisations, the thorny issue of whether a Data Protection Officer (“DPO”) can also have another role in the organisation has been a complex puzzle to solve since the General Data Protection Regulation (“the GDPR”) came into force. Whilst a similar DPO function existed in some national legislation pre- GDPR, organisations tend to struggle to identify who should act as a DPO when they decide to appoint one internally.
From our experience, the main hurdle which organisations face is in complying with Article 38(6) of the GDPR, which provides:
“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” (emphasis added)
A decision on 28 April 2020 from the litigation chamber of the Belgian Data Protection Authority (“the Litigation Chamber” or “the GBA”) (the "Belgian DPO Decision") provides a practical insight on how regulators may understand this requirement. Here, the GBA imposed an administrative fine of EUR 50,000 on a telecom services provider (“the Defendant”), for having appointed their Director for Audit, Risk and Compliance as their DPO, considering that the combination of roles was a serious breach of Article 38 of the GDPR.
Guidance up to this decision
Until the Belgian DPO Decision, there was very little indication on how to interpret the no-conflict requirement:
- In 2016, the Bavarian State Office for Data Protection Supervision (“the BayLDA”)  ruled that the position of IT Manager of a company was incompatible with the duties of a DPO under the then German data protection law (“the BayLDA Decision”).
- Later in 2016, the Working Party 29 issued guidelines on DPOs (the “Guidelines on DPOs”), which were revised in 201, specifically addressing GDPR requirements. Regarding conflicts of interest, the Guidelines on DPOs state that:
“the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” (emphasis added)
This is because such a scenario would lead the DPO to a situation of conflict of interests, which may mean that the DPO could not carry out his or her role effectively, because s/ he would be asked to scrutinise processing in respect of which s/he had taken key decisions.
- In a decision dated 28 May 2019, the GBA considered that the DPO should not take the decision to delete data at the request of an individual but should only advise the data controller to do so. At this time, the GBA decided to warn the Defendant without imposing any sanction.
The Belgian DPO Decision
In this case, the Defendant experienced a personal data breach which came to the GBA's attention. In the context of the subsequent inquiry, the investigation chamber of the GBA (the “Investigation Chamber”) noted that:
- the DPO did not seem to be sufficiently involved in the process of assessing the risk of personal data breaches (the "Level of Involvement Argument"); and
- the DPO was also acting as the Director of Compliance, Risk and Audit for the Defendant, which placed them in a position of conflict of interest (the "Conflict of Interest Argument").
Though this decision can be appealed and only reflects the position of one regulator, the parties' submissions in the proceedings on these two arguments and the resulting decision of the GBA's Litigation Chamber bring some clarifications about the DPO role. We have summarised this, in the tables below.
| GBA's Investigation Chamber
- Article 38(1) of the GDPR requires the DPO to be properly involved in a timely manner with respect to all matters related to the protection of personal data.
- In the Investigation Chamber’s view, Article 38(1) was breached in that the Investigation Chamber:
- noted that the DPO was only informed of the outcome of the risk assessment; and
- insisted that the DPO’s opinion was not included in the template of assessment form
- No GDPR provision should be interpreted as requiring an organisation to consult with the DPO – the provisions of information provided to the DPO should be deemed sufficient to comply with Article 38 of the GDPR.
- The DPO was sufficiently involved in this case, because they were informed of the outcome of the risk assessment
| GBA's Investigation Chamber
- The DPO was not free from conflicts by virtue of also holding the function of Director of Compliance, Risk and Audit - this role involved significant operational responsibility for data processing activities under the domain of audit, risk and compliance.
- The role of Director of Compliance, Risk and Audit was only an advisory role and did not involve the Director in taking decisions.
Breaching DPO independence requirements – the consequences
In application of Article83(4) of the GDPR, an infringement of the provisions of Article 38 of the GDPR can be subject administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In the case of the Belgian DPO Decision, the latest worldwide annual turnover declared by the Defendant was EUR 3,886,699,793.
In determining the amount of the fine, the GBA relied on the following 3 criteria:
(i) The availability of guidelines from Working Party 29 on the DPOs, which includes details regarding the requirements in terms of conflict of interests ;
(ii) The nature of the Defendant’s business;
a. The level of maturity of such an organisation (major telecom provider);
b. The amount of personal data processed, and therefore the increased amount of individuals subject to a risk of non-compliance;
(iii) The duration of the breach of Article 38(6) of the GDPR, provided that the Defendant had not changed their DPO before the hearing.
Based on these criteria, the GBA imposed an administrative fine of EUR 50,000. The GBA also clearly stated that they impose the fine in order to “vigorously” enforce the GDPR.
The decision may still be appealed, and it reflects the position of the Belgian data protection authority only. However, given the rationale mainly relies on the Guidelines on DPOs, we believe that organisations should consider the key takeaways.
| Involving the DPO
- The DPO must be consulted in all data protection related matters, not only informed. This means that the DPO must have an opportunity to be involved early in processes related to data protection matters, and that they should have the opportunity to give their opinion.
- Organisations should ensure that all their processes are documented, and that they can explicitly demonstrate that the DPO is consulted at the outset of data protection matters. The lack of documentation regarding the level of engagement of the DPO in data breach related processes drew the Investigation Chamber’s attention and was a factor in the decision to defer the case to the Litigation Chamber. .
- In the context of a risk assessment of a personal data breach, the DPO should be able to undertake their own risk assessment (or provide their views on the one undertaken by management teams) before a final decision is sought.
 https://www.lda.bayern.de/media/pm2016_08.pdf (From the press release published on 20 October 2016 by the BayLDA, only available in German)
 Working Party 29, Guidelines on Data Protection Officers ('DPOs') (wp243rev.01): http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
 https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Be04-2019ANO_FR.pdf (only available in French)