On April 28, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €50,000 fine on a company for non-compliance with the requirements under the General Data Protection Regulation (“GDPR”) related to the appointment of a data protection officer (“DPO”).
Following the notification of a data breach, the Belgian DPA started an investigation into the notifying company’s data protection practices and privacy program. The investigation focused on three alleged infringements of the GDPR, in particular, (1) the duty to cooperate with the DPA, (2) the accountability obligations (including with respect to data breach notification-related risk assessments), and (3) the requirements related to the position of the company’s DPO.
In its decision, the Litigation Chamber of the Belgian DPA only upheld the alleged infringement of the GDPR’s DPO requirements (in particular Article 38(6) of the GDPR), arguing that by appointing the Head of the Compliance, Risk Management and Audit department as DPO, the company had failed to comply with its obligation to ensure that its DPO is free from any conflict of interest. In particular, the Belgian DPA’s Litigation Chamber indicated in its decision that:
- If the DPO, as Head of the Internal Audit department, has decision-making power with respect to the dismissal of employees, this is not compatible with the DPO’s role as a confidential advisor for data protection-related matters.
- The fact that the departments for which the person acting as the company’s DPO heads (i.e., the Compliance, Risk Management and Audit department) fulfill an independent and advisory role in relation to the other business departments and, as such, do not have decision-making powers with respect to the company’s data processing activities does not necessarily mean that the individual’s tasks as Head of these departments are compatible with his tasks as the company’s DPO.
- In their capacity as head of the Compliance, Risk Management and Audit departments, the person appointed as the company’s DPO determines the purposes and means of the processing of personal data taking place in the context of these departments and, therefore, is responsible for these data processing activities.
In light of this, the Litigation Chamber of the Belgian DPA concludes that combining the role of department Head with the role of DPO gives rise to a significant conflict of interest. In the case at hand, the Belgian DPA maintains that due to the combination of roles, there is a complete lack of independent DPO oversight concerning the data processing activities taking place in the context of the Compliance, Risk Management and Audit departments. In addition, the Belgian DPA indicates that, due to his dual role, the DPO may not be able to provide sufficient guarantees to the concerned employees in terms of confidentiality and secrecy.
In light of the above, the Litigation Chamber has ordered the company to take measures to resolve the issue within a period of three months. Furthermore, the Litigation Chamber has decided to impose an administrative fine of €50,000. According to the Belgian DPA, such a fine is appropriate as the infringements result from serious negligence of the company, and considering that:
- The concept of a DPO is not a new concept and has existed in various Member States and organizations for many years;
- The company should have been prepared for the introduction of the DPO role by the GDPR, in particular, given that its core business activity involves processing of personal data on a very large scale, including data of a sensitive nature. As a result, the infringement could have an impact on millions of individuals; and
- The duration of the infringement, which started in May 2018 (when the GDPR became applicable) and lasted until February 2020.
The decision may still be appealed at the Market Court. Read the Belgian DPA’s decision (in Dutch).