Recently, the Belgian Privacy Commission (the “Belgian DPA”) released a Recommendation (in French and Dutch) regarding the requirement to appoint a data protection officer (“DPO”) under the EU General Data Protection Regulation (“GDPR”).
The Recommendation aims to provide guidance in response to the many questions that the Belgian DPA has received so far regarding the DPO function, in particular regarding the compatibility of the DPO function with other existing functions within a company (e.g., security officer, compliance officer, risk manager, human resources director, IT director).
According to the Belgian DPA, companies must assess such compatibility on a case-by-case basis in order to ensure compliance with the requirements of the GDPR and avoid potential conflict of interests.
In its Recommendation, the Belgian DPA notes that security officers designated under the current Belgian data protection framework cannot automatically be designated as DPO under the GDPR.
In line with the GDPR and the revised guidelines of the Article 29 Working Party published in April 2017, the Recommendation outlines the role and tasks of the DPO under the GDPR, which includes (1) monitoring compliance with the GDPR, (2) assistance with data protection impact assessments, (3) assistance with internal record-keeping obligations and (4) cooperation with data protection authorities. Further, the Belgian DPA recalls that companies that appoint a DPO must (1) consult the DPO for questions related to the protection of personal data, (2) provide the DPO with sufficient resources and (3) ensure that the DPO performs his or her role in an independent manner. The Belgian DPA further lists the qualifications a DPO must have in order to accomplish his or her goals.
The Belgian DPA also recommends that companies document the analysis made on the appointment of a DPO under the GDPR, as well as their final choice with respect to the appointment. It also notes the possibility for companies to appoint external DPOs.