Belgian DPA issues €50,000 fine for DPO’s Conflicting of RolesJune 2020
On 28 April 2020, the Belgian Data Protection Authority (“DPA”), fined a Belgian company €50,000 for breach of article 38 (6) of the GDPR:
“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. “
The DPA’s Litigation Chamber found that the DPO was not in a position that is sufficiently free from conflict of interest because the DPO also fulfilled the function of director of audit, risk and compliance.
The Litigation Chamber stated that the administrative fine was not imposed with the intention to terminate the violation, but rather with a view to vigorously enforce the rules of the GDPR. In this respect, the Litigation Chamber specified that, although there was no element showing an intentional infringement, there was serious negligence on the part of the defendant.
The Article 29 Working Party Guidelines for Data Protection Officers explain that the Data Protection Officer cannot hold a position within the organisation in which he or she has to determine the purposes and means of processing personal data. This is thus an essential conflict of interest. The role of departmental manager is thus inconsistent with the function of DPO who must be able to perform his or her tasks independently.
The fact that the same person performs the role of data controller for each of the three departments concerned on the one hand, and the function of Data Protection Officer on the other, lacks independence.
By Judy de Castro - Regulatory Consultant