First decision regarding a data protection officer
On 28 April 2020 the Belgian data protection authority (BDPA) issued an administrative fine relating to a wrongful appointment of a data protection officer (DPO).
The litigation chamber of the BDPA has recently issued a judgement imposing an administrative fine of 50,000 EUR on an organization having appointed a DPO in violation with certain principles of the General Data Protection Regulation (GDPR).
The DPA initially started its investigation due to a data breach within the organization. The inspection report indicated that the organization allegedly made three serious infringements on the provisions of the GDPR, namely:
- Non-collaboration with the supervisory authority (art. 31 GDPR);
- Non-compliance with the accountability principle (art 5.2 GDPR); and
- Non-compliance with the obligation to avoid a conflict of interest for the appointed DPO.
In its judgement, the litigation chamber of the BDPA only upheld the alleged infringement relating to the ‘conflict of interest’.
The BDPA stated that the DPO had a conflict of interest due to his other “executive positions” within the organization (i.e. head of Compliance, Risk & Management and internal audit).
The fact that these executive functions did not give the DPO any decision-making powers relating to the data processing activities does not necessarily mean that these executive functions can be combined with the mandate of DPO, according to the BDPA in its judgement.
In addition, the DPA stated that a conflict of interest needs to be evaluated on an ‘ad hoc’ basis and concluded that in this case – as head of the Compliance, Risk & Management and Internal Audit Department – the DPO had an impact on how the processing of personal data would be performed (i.e. determining the purpose and means of the processing activities) and that this is not in line with the Guidelines for DPO’s of Working Group 29.
In light of these elements the litigation chamber of the BDPA ruled that the organization should resolve the matter within a period of three months and pay an administrative fine of 50,000 EUR. The BDPA justified the amount of the administrative fine based upon the following elements:
- The function of a DPO already exists for several years; and
- The organization should have made the necessary preparations given the fact that the processing of personal data was a core business activity of the organization and the processing takes place on a very large scale; and
- The infringement already started as of 25 May 2018.
- The decision of the BDPA shows the importance of the independence of the DPO function within an organization. This decision might be appealed before the Market Court (‘court of appeal’).
How can we help?
Discover our expertise