DPO (Belgium): A Data Protection Officer Cannot Simultaneously be the Head of Another Department

DPO (Belgium): A Data Protection Officer Cannot Simultaneously be the Head of Another Department

By decision of April 28, 2020, the Belgian Data Protection Authority has taken a rather restrictive approach concerning the position of the DPO within a company. 

Indeed,  for serving a €50,000 fine on a Belgium company, the Authority, considered, among other grounds, that its Data Protection Officer could not be, at the same time, the head of the compliance, risk and audit departments. For the Authority, there was a conflict of interest since the  DPO could determine the purposes and means of the processing activities carried out by these departments.  

Given that risk assessment, compliance and audit are an inherent part of the DPO role, this sanction requires companies to get a closer view on the position of their DPO. 

Data Protection Officer: Appointment, Position and Skills

Data Protection Officer: Appointment, Position and Skills

When an organisation appoints a Data Protection Officer whether on a voluntarily basis or because its processing activities meet the criteria set out in the GDPR (see  here, for more details), it should pay attention to the following points at the time of the DPO’s appointment:
The contractual relationship between the DPO and the Controller or Processor
The skills and level of expertise of the DPO
The position of the DPO within the company organisation and the resources to be allocated

When to Appoint a Data Protection Officer

When to Appoint a Data Protection Officer

The designation of a Data Protection Officer (DPO) is either mandatory or voluntary depending (i) on the kind of organisation, (ii) its activities and/or (iii) the type of processing operations it carries out (e.g. scale, type of data etc.).

According to article 37 (1) of the General Data Protection Regulation (GDPR) the designation of a DPO is required in three specific cases:

Where  public authority or body carries out processing operations (case 1); 

Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (case 2); or

Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. (case 3)