On 28 April 2020, the Belgian data protection authority (DPA) fined a company €50,000 for having appointed its head of compliance, risk and audit as its data protection officer (DPO). The DPA’s decision is only available in Dutch (here) and in French (here).
What was the breach?
The reason for the fine was not that the DPO had a second role, as this is permitted under article 38(6) of the General Data Protection Regulation (GDPR). The DPA issued the fine because it determined that the DPO’s second role required him to make decisions about the purposes and means of processing personal data, and the making of such decisions is a material conflict of interest, which is a breach of article 38(6) of the GDPR.
What does this mean for businesses that have appointed a DPO?
If your business has appointed a DPO, we recommend undertaking an assessment of the tasks and duties the DPO is likely to perform (in all of their roles) to ensure that they are unlikely to be subject to a conflict of interest. This is important because the role of a DPO is to be independent and to inform and advise the controller or the processor, and the employees who carry out the personal data processing, of their obligations under the GDPR. A DPO is not permitted to make decisions about the purposes and means of processing personal data.
It would be wise to document the assessment of the tasks and duties of the DPO, and to implement a conflicts policy to ensure the DPO does not become subject to a conflict of interest in the future. Implementing such documentation will also help to demonstrate compliance with the GDPR under the accountability principle, which, as we know, is a key principle of the GDPR.