The Belgian Data Protection Authority (Belgian DPA) recently imposed a €50,000 fine on a large telecommunications operator (the company), for failing to comply with the GDPR in relation to the appointment of their Data Protection Officer (DPO). The Belgian DPA decided that the DPO’s tasks and duties under the GDPR conflicted with its role as Head of Audit, Risk and Compliance.
The company self-reported a data breach to the DPA, which lead to a wider investigation into the security of its data processing operations. The investigation focused on three potential breaches of the GDPR: (1) the company’s duty to cooperate with the DPA (Article 31 GDPR); (2) the company’s accountability obligations (Article 5(2) GDPR); and (3) the DPO was not sufficiently involved in discussions surrounding data breaches (Article 38(1) GDPR) and was not sufficiently independent insofar as the DPO also acted as Head of Audit, Risk and Compliance (Article 38(6) GDPR). The only infringement was found to be in relation to the third issue.
The Belgian DPA found that it is insufficient for a DPO to just be “informed” about a data breach, and that consultation with the DPO is needed as early as possible in the process. However in this case, the evidence indicated that the DPO was appropriately involved in the response to the data breach. In regard to the DPO acting as Head of Audit, Risk and Compliance, the company argued that it only had an advisory role, and did not take decisions concerning the purposes and means of data processing activities. The Belgian DPA disagreed, stating that there was no doubt that the combination of its responsibilities as Head, with its statutory tasks as DPO, led to a lack of independence. The Belgian DPA held this was because the DPO, in its role as Head, was also responsible for the processing of personal data in the context of the organisation’s audit, risk and compliance activities. This approach was supported by a decision by the Bavarian data protection authority involving an IT manager.
The Belgian DPA referred to the Article 29 Working Party Guidelines for Data Protection Officers (as endorsed by the EDPB) which explains that the DPO cannot hold a position within the organisation in which he or she has to determine the purposes and means of processing personal data. The Belgian DPA also noted that the role of Head of the Audit department in particular involved decision-making power with respect to the dismissal of employees, and that this was not compatible with the DPO’s role as a confidential advisor for data protection matters. It stated that the combination of these functions might also lead to an insufficient guarantee of secrecy and confidentiality to employees in accordance with Article 38(5) GDPR. Although this particular Article was not found to be breached.
Finding that the DPO did not meet the requirement of independence, the Belgian DPA referred to the fact that “the concept of the DPO is not new”, having existed for years in various Member States and that therefore the company had acted with significant negligence in combining the roles of their DPO. The Belgian DPA also took into consideration the fact that a large telecommunications company would be expected to prepare carefully for the introduction of the GDPR and the long duration of the breach from 25 May 2018 to 14 February 2020.
The company was ordered to take measures to resolve the issue within a period of three months and pay an administrative fine of €50,000 serving as a warning against such breaches with a “view to vigorously enforcing the rules of the GDPR”.
The decision serves as a reminder to businesses of the importance of exercising caution when appointing a DPO, and designating them with other tasks beyond their statutory tasks and duties under the GDPR. It shows that a DPO should not have significant operational responsibility for data processing activities carried out by the company, while also advising on and supervising such data processing as DPO. This position of “self-monitoring” might give rise to a potential conflict of interests.
According to the Belgian DPA, acting as Head of any department, as well as DPO in relation to that department’s activities, threatens the independence of the role of the DPO and creates a potential conflict of interest. This finding is noteworthy, as the Working Party Guidance merely notes that the roles of “chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments” conflict with the role of the DPO. Although the Working Party indicated that this is not an exhaustive list of conflicting positions, and that other roles lower down in the organisational structure may create a conflict of interest if they lead to the determination of the purposes and means of processing.
The Belgian DPA highlighted that companies must consider carefully, on a case-by-case basis, whether the DPO is in charge of making decisions in relation to data processing activities which in fact he/she should be monitoring under the GDPR. This will prove a particular headache for smaller organisations where DPOs often have other roles. The decision may yet be appealed to the Belgian Market Court.