By decision of April 28, 2020, the Belgian Data Protection Authority has taken a rather restrictive approach concerning the position of the DPO within a company.
Indeed, for serving a €50,000 fine on a Belgium company, the Authority, considered, among other grounds, that its Data Protection Officer could not be, at the same time, the head of the compliance, risk and audit departments. For the Authority, there was a conflict of interest since the DPO could determine the purposes and means of the processing activities carried out by these departments.
Given that risk assessment, compliance and audit are an inherent part of the DPO role, this sanction requires companies to get a closer view on the position of their DPO.