On 28 April 2020, the Belgian data protection authority (DPA) fined a company €50,000 for having appointed its head of compliance, risk and audit as its data protection officer (DPO). The DPA’s decision is only available in Dutch (here) and in French (here).
What was the breach?
The reason for the fine was not that the DPO had a second role, as this is permitted under article 38(6) of the General Data Protection Regulation (GDPR). The DPA issued the fine because it determined that the DPO’s second role required him to make decisions about the purposes and means of processing personal data, and the making of such decisions is a material conflict of interest, which is a breach of article 38(6) of the GDPR.