Skip to main content

The Belgian data protection authority fines a data controller 50,000 EUR for appointing a DPO with a potentially conflicting position

|

It is not too uncommon for a single person to be in charge of general compliance in an organisation, and to also act as its DPO. Is that in line with the GDPR's requirements for independence of the DPO? The Belgian DPA says no, and issued a fine to the data controller.

"The Belgian data protection authority recently examined a case where a major company had appointed a DPO who was also its head of compliance, audit and risk. The company was not identified in the decision, but it is described as having data processing as a core activity, and having a turnover of around 4 billion EUR.

The case was taken under consideration following a data breach report by the company itself, relating to incorrectly addressed invoices. The Inspection Chamber of the Belgian DPA found several shortcomings when examining the report, one of which related to the required independence of its DPO. Following its findings, a formal assessment was done by the Litigation Chamber of the DPA.

After due consideration, the Litigation Chamber ruled that the DPO had an undue influence on data processing activities, since the DPO was also the Head of Compliance, Risk and Audit, and therefore responsible for decision making on data processing in many critical activities. Therefore, the DPA ruled that the DPO couldn't exercise the independent oversight which is required by the GDPR. Stressing that the concept and obligation of appointing a DPO was not new, the Litigation Chamber described the conflict as showing a ""significant degree of negligence"", and issued a fine of 50.000 EUR. This is the highest fine issued to date in Belgium, although it's worth noting that it still only represents less than 0,01% of the company's turnover.

In a tweet, the DPA itself stressed the positive outcome for DPOs: the fine was issued to the controller, and not to the DPO itself. Assurance of DPO independence is thus foremost - though likely not exclusively - the responsibility of the controller. Critics also note however that this strict interpretation of the independence requirement sets the bar at an extremely high level. The decision implies that a large organisation will often need to appoint multiple persons with specialist knowledge of data protection law:  such knowhow is critical for DPOs and company lawyers or compliance staff in general, and the decision makes it clear that one person cannot combine both roles. That may be a very big ask for SMEs."

 

Article provided by: Hans Graux (Time.lex, Belgium)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}