When companies appoint a Data Protection Officer in accordance with the General Data Protection Regulation, many have considered giving the role to an existing employee. A recent decision from the Belgian Data Protection Authority may require companies to re-think this approach, and avoid having the Data Protection Officer wearing “incompatible hats.”
On April 28, 2020, the Belgian Data Protection Authority (DPA) fined major Belgian telecom provider Proximus EUR 50,000 for appointing a data protection officer (DPO) who also headed three other departments, namely the compliance, risk management, and internal audit departments. The DPA considered such a combination to be a conflict of interest. The decision is noteworthy because:
We provide more background and details on the decision below.
Under Article 37 of the GDPR, the centerpiece legislation for data protection in the EU, organizations that meet certain thresholds are required to appoint a DPO (e.g., in relation to large scale processing of sensitive or criminal information, or monitoring individuals’ behavior). The DPO is a multifaceted function that involves monitoring and advising organizations on privacy compliance and strategy, assisting in managing risk, accountability, and crises such as data breaches, and managing internal privacy matters (e.g., taking complaints from employees about privacy violations) and external issues with data protection authorities for example. Given the nature of the DPO role, the GDPR (Art. 38) sets a number of requirements to ensure that the DPO performs its tasks appropriately, including sufficient resources, a direct reporting line to management, confidentiality commitments when performing its tasks, as well as independence and being clear of functional conflicts of interest.
In addition, the Article 29 Working Party (a pre-GDPR consortium of EU data protection authorities, now replaced by the European Data Protection Board) issued Guidelines on DPOs in December 2016 (“DPO Guidelines”). Regarding conflicts of interest, the DPO Guidelines set out on page 16 that:
Proximus, a major Belgian telecom provider, submitted a security breach notification to the DPA. During the investigation of the security breach, the DPA’s investigator identified and argued that it found multiple GDPR infringements, including a lack of cooperation with the DPA, an insufficient process for determining the level of risks of harm of a security breach, and conflict of interest on the part of the DPO. However, the organization was only found liable and fined for the DPO’s conflict of interest.
The DPA indicated that the conflict of interest was particularly apparent because the DPO was also the head of three other departments within the organization, in which capacities the DPO was empowered to determine the purposes and means of the processing of personal information activities by those departments. As a result, the DPA considered that there had been a lack of independent oversight of the processing activities. It is interesting to see that the DPA seems to take a stricter approach than the DPO Guidelines. The DPO Guidelines set out that senior management positions may be incompatible with the DPO role, in particular those with executive activities, but not that they are incompatible per se. The organization argued that the DPO Guidelines suggest that executive functions are incompatible with the DPO role, but not advisory functions (such as head of compliance, risk, or audit). In contrast, the DPA seems to contend that senior management positions within departments that process personal information are structurally incompatible with the DPO role. A relevant question in this regard (which the decision doesn’t answer) is whether the DPA would have also opposed combining the role of DPO with only one of the other positions. The challenge in the current case may indeed have been that the DPO combined three key advisory roles so that core compliance reporting avenues may have been bottlenecked and controlled by the DPO.
Also noteworthy is that, regarding the position as head of internal audit, the DPA indicated that the internal audit department was responsible for the review and recording of internal practices, which may ultimately lead to employee dismissals. As one of the requirements of a DPO is to be accessible to and approachable for employees, the DPA considered that combining a DPO role with an Internal Audit position could cause employees to be reluctant to approach the DPO and prevent the DPO from meeting its secrecy and confidentiality requirements (e.g., because what the DPO learned from the employee may need to be recorded or reported for compliance reasons in its capacity as head of compliance or risk management). It is unclear how far the DPO’s secrecy and confidentiality duties carry, and also who they seek to benefit. The GDPR is concise on this point, and seems to grant Member States flexibility in how to implement that requirement (Art. 38.5). And while the Belgian Data Protection Act is silent on this point, the DPA’s reasoning suggest that the secrecy and confidentiality requirements seek to protect individuals who may engage with the DPO when making complaints or inquiries.
The DPA ordered the organization to resolve the conflict of interest, and issued a EUR 50,000 fine. The DPA found that, although there had been no evidence of intentional infringement, there had been serious negligence on the organization’s part because:
Finally, as explained above, the investigation by the DPA was triggered by a security breach notification and spiraled into a broader investigation. The DPA was empowered to investigate because it has the authority to lodge discretionary investigations into any aspect of a company’s GDPR compliance. This underscores the importance of carefully considering breach notifications. When making breach notifications, companies should not only consider the potential breach at hand, but also more generally their compliance with the GDPR requirements.