Belgian DPA sanctions a controller for appointing as DPO the director of one of its departments

On 28 April 2020, the Belgian DPA sanction Proximus SA (previously Belgacom) for €50,000 on two basis:  non-cooperation under Article 31 of the GDPR and violation of Article 38(6) of the GDPR by appointing as DPO the director of one of its departments (Head of Compliance, Risk and Audit). The problem with the latter was conflict of interest.

The position of the company was that his roles were all advisory in nature and the person did not have a decision-making authority on personal data processing.  The DPA was unconvinced: as the Head of Compliance, Risk and Audit, the person was responsible for data processing in compliance, risk and audit activities. That created a conflict of interest with his role as DPO. The DPA also noted that the DPO was not sufficiently involved data breach discussion. The DPA concluded that the appointed person could not perform its role as DPO in an independent manner and he was in a conflict of interest. For a comment to this decision, see this blog.

In 2017, the Belgian DPA had issued a Recommendation on DPO Appointment under GDPR, warning against anautomatic designation of security officers as DPO under the GDPR and referring to the revised guidelines of the Article 29 Working Party published in April 2017 (WP29 Revised Guidelines).

The appointment of a DPO is an important requirement of GDPR and should not be overlooked.[i]

As a reminder, pursuant to Article 37 of GDPR, the controller must appoint a DPO when:

      1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
      2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
      3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

The DPO must avoid conflict of interest. The WP29 Revised Guidelines stressed how the DPO shall not have any task that might raise a conflict of interest. Considering that the GDPR does not restrict DPOs from carrying out other tasks, the WP29 Revised Guidelines provide examples of conflicting positions within the organization. These may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other positions that would lead to the determination of purposes and means of processing.

In addition, a conflict of interests may also arise for example if an external DPO, that is, for example, a lawyer, is asked to represent the controller or processor before the courts in cases involving data protection issues.

For the qualifications that a DPO must have, see article, discussing the skills that the DPO should possess.

For more information, contact Francesca Giannoni-Crystal

 

____________________

[i] In February 2020 Hamburg Commission for Data Protection and Freedom of Information fined Facebook $55,500 for failing to nominate a data protection officer to its German office, see more here