On 28 April 2020, the Belgian data protection authority (DPA) fined a company €50,000 for having appointed its head of compliance, risk and audit as its data protection officer (DPO). The DPA’s decision is only available in Dutch (here) and in French (here).

What was the breach?

The reason for the fine was not that the DPO had a second role, as this is permitted under article 38(6) of the General Data Protection Regulation (GDPR). The DPA issued the fine because it determined that the DPO’s second role required him to make decisions about the purposes and means of processing personal data, and the making of such decisions is a material conflict of interest, which is a breach of article 38(6) of the GDPR.

Continue Reading Belgian DPA fines company €50,000 for appointing DPO with conflicting role

In a late night session on 28 June 2019, the German Parliament (Bundestag) passed the Second GDPR Implementation Act (2. Datenschutz-Anpassungs-und-Umsetzungsgesetz EU – 2. DSAnpUG-EU; the Act). The Act is available online in German here and here. For more information on the First German GDPR Implementation Act read our

The UK Information Commissioner’s Office (ICO) has issued a resource for organizations to utilise when hiring and structuring the roles of data protection officers (DPO) under the General Data Protection Regulation (GDPR). This blog summarises several key elements of these resources.

DPO checklist

The checklist contains four sections which include:

  1. Appointing a DPO – across situations where a DPO is required to be appointed, and also where one is not expressly required but one has been voluntarily appointed.
  2. Position of the DPO – outlining the reporting structure, involvement in all issues relating to data protection, resources available to a DPO, and independence and freedom from conflicts in one’s capacity in the DPO role.
  3. Tasks of the DPO – setting out the roles and responsibilities of the DPO, including compliance, training and audits, as well as acting as a contact point for the ICO.
  4. Accessibility of the DPO – announcing the DPO as the accessible point of contact for employees, individuals, the ICO, and stating that the DPO should have their contact details published and communicated to the ICO.

DPO appointment

An organisation must appoint a DPO if:

  • It is a public authority or body (other than a court acting in a judicial capacity); or
  • Its core activities require regular and systematic monitoring of individuals on a large scale (which include tracking online behaviours); or
  • Its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.


Continue Reading ICO issues guidance on hiring and supporting DPOs

On 25 April 2018, the European Parliament’s Civil Liberties, Justice & Home Affairs Committee published a corrigendum (an error to be corrected in a printed work after publication) to the European General Data Protection Regulation ((EU 2016/679) (GDPR).

There are 26 “official” language versions of the GDPR (all European Economic Area countries plus Norway and Iceland). This can create differences in interpretation, with potentially serious ramifications for enforcement and compliance, so harmonising the legislation is a key concern for the EU Parliament. The corrigendum deals mainly with typographical and clerical errors for all language versions of the GDPR. Many of these had previously been requested by Member States for their own language versions.

Continue Reading European Parliament publishes a corrigendum to the GDPR