By a decision of April 28, 2020, the Belgian Data Protection Authority has taken a rather restrictive approach concerning the position of the Data Protection Officer (DPO) within a company.
Indeed, the Authority served a €50,000 fine on a Belgium company, considering, among other grounds, that its Data Protection Officer could not be, simultaneously, the head of the compliance, risk and audit departments. For the Authority, there was a conflict of interest since the DPO could determine the purposes and means of the processing activities carried out by these departments.
Given that risk assessment, compliance and audit are an inherent part of the DPO role, this sanction requires companies to get a closer view on the position of their DPO.
Following a data leak, the Belgian Data Protection Authority performed an audit of the concerned company revealing that the data protection officer of this company was also the director of the company’s audit, risk and compliance departments.
The authority, considering that there was a conflict of interest, sanctioned the company on this ground.
The reasoning of the Authority
As part of its decision, the authority stated that “the independence and advisory role of the department as such cannot simply be extended to the person who simultaneously holds the position of data protection officer and that of the head of a department.”
It considers that being head of these departments entails that the DPO in that capacity determines the purposes and means of the processing of personal data within these three departments and is thus responsible for the data processing activities falling under the domain of compliance, risk management and internal audit.
The Authority points out that the Working Party 29 Guidelines on Data Protection Officers provide that the Data Protection Officer cannot perform any function within the organisation involving that he or she has to determine the purposes and means of the processing of personal data. Therefore, this situation constitutes a conflict of interest that leads to a lack of independent supervision of the data processing activities of these three departments.
Besides, the Authority also pointed out that this situation may lead to an insufficient guarantee of secrecy and confidentiality vis-à-vis staff members.
Our view on the decision
While we understand the rationale behind the decision, the lack of details on why being head of compliance, risk and audit within this specific company is an issue makes this decision very restrictive.
Indeed, the DPO may carry out additional activities to the extent it does not result in a conflict of interest.
One of the criteria to determine whether there is a conflict of interest is that the DPO cannot be in a position that leads him or her to determine the purposes and the means of data processing activities within the company.
If we apply this criterion in the same way as the Belgian Authority, it is almost impossible for a DPO not to determine the means and the purposes of any processing activities (e.g. they may determine the purpose and the means of the handling of data subject request process, which involves the processing of personal data).
The WP 29 (i.e. the former European Data Protection Board) considered that conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of the marketing department, head of Human Resources or head of IT departments). These examples did not include head of legal, audit or compliance and therefore, we could imagine that where the conflict of interest was marginal, it was possible to appoint a DPO that would also be in charge of other company’s activities.
To our mind, the impact and context of the potential conflict of interest could also be taken into consideration. Indeed, the size of the company, the processing activities at stake may play a role in deciding whether it is acceptable for a DPO to carry out any given additional activities.
If other similar decisions were to be issued, it would be expected that the authorities or the European Data Protection Board provide more details about the extent to which this criterion should apply.
In any events, in light of this decision, organisations should review the position of their DPO so that to ensure there is no conflict of interest.