Is your top manager also a Data Protection Officer? You may run a risk of GDPR breach according to Belgian Data Protection Authority

Belgian Data Protection Authority imposed a fine for breach of GDPR's DPO requirements

On 28 April 28 2020, the Belgian Data Protection Authority imposed a EUR 50,000 fine on a company for non-compliance with the General Data Protection Regulation (“GDPR”) due to the conflict of interests and insufficient involvement of the Data Protection Officer (DPO) in the company's activities within the meaning of Article 38 of the GDPR.

Following the notification of a personal data breach, the Belgian supervisory authority initiated an investigation into the incident, in particular in the context of an assessment of the company's internal data protection rules and procedures. It was found that neither formalized rules for the involvement of DPO in the company's activities, nor any policy for the prevention of conflicts of interests were implemented in the company.

The Belgian supervisory authority upheld the infringement of the GDPR’s DPO requirements [in particular Article 38(6) of the GDPR], arguing that by appointing the Head of the Compliance, Risk Management and Internal Audit Departments as DPO, the company had failed to comply with its duty to ensure that its DPO is free from any conflict of interests. If the DPO, as Head of the Internal Audit Department, has decision-making power with respect to the dismissal of employees, this is not compatible with the DPO’s role as a confidential advisor for personal data protection-related matters.

Due to the combination of roles, it is not possible to ensure the independent DPO oversight concerning the data processing activities taking place in the context of the Compliance, Risk Management and Internal Audit Departments. In addition, there are doubts as to whether the DPO, due to his dual role, is able to provide sufficient guarantees to the concerned employees in terms of confidentiality and secrecy.

The Belgian supervisory authority noted that the irregular situation was caused by the serious negligence of the company, in view of the fact that the concept of a DPO has existed in various EU Member States for many years, the company had a duty under the DPO to designate a DPO, since the core activities of the company consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, including the processing of special categories of personal data, wherefore the infringement could have an impact on millions of individuals; and also with regard to the duration of the infringement, which started in May 2018 (when the GDPR became applicable) and lasted until February 2020.

The insufficient involvement of DPO in the company's activities and decision-making processes relevant to the processing of personal data was identified as the further misconduct. If the involvement of DPO is limited merely to keeping him (ex post) informed about decisions which have been already made, the interference with the possibility of performance of the DPO’s duties is evident.

The above clearly shows that appointment and activities of a DPO have to be taken seriously including potential conflict of interest that may arise in case that the DPO holds a position of top manager of the company at the same time.