The Belgian data protection authority fines a data controller 50,000 EUR for appointing a DPO with a potentially conflicting position
"The Belgian data protection authority recently examined a case where a major company had appointed a DPO who was also its head of compliance, audit and risk. The company was not identified in the decision, but it is described as having data processing as a core activity, and having a turnover of around 4 billion EUR.
The case was taken under consideration following a data breach report by the company itself, relating to incorrectly addressed invoices. The Inspection Chamber of the Belgian DPA found several shortcomings when examining the report, one of which related to the required independence of its DPO. Following its findings, a formal assessment was done by the Litigation Chamber of the DPA.
After due consideration, the Litigation Chamber ruled that the DPO had an undue influence on data processing activities, since the DPO was also the Head of Compliance, Risk and Audit, and therefore responsible for decision making on data processing in many critical activities. Therefore, the DPA ruled that the DPO couldn't exercise the independent oversight which is required by the GDPR. Stressing that the concept and obligation of appointing a DPO was not new, the Litigation Chamber described the conflict as showing a ""significant degree of negligence"", and issued a fine of 50.000 EUR. This is the highest fine issued to date in Belgium, although it's worth noting that it still only represents less than 0,01% of the company's turnover.
In a tweet, the DPA itself stressed the positive outcome for DPOs: the fine was issued to the controller, and not to the DPO itself. Assurance of DPO independence is thus foremost - though likely not exclusively - the responsibility of the controller. Critics also note however that this strict interpretation of the independence requirement sets the bar at an extremely high level. The decision implies that a large organisation will often need to appoint multiple persons with specialist knowledge of data protection law: such knowhow is critical for DPOs and company lawyers or compliance staff in general, and the decision makes it clear that one person cannot combine both roles. That may be a very big ask for SMEs."
Article provided by: Hans Graux (Time.lex, Belgium)
Dr. Tobias Höllwarth (Managing Director INPLP)