
primer
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/ikq167bdy5z8/public_html/propertyresourceholdingsgroup.com/wp-includes/functions.php on line 6114On 28 April 2020, the Litigation Chamber of the Belgian Data Protection Authority (DPA) sanctioned an organization with a fine of EUR 50,000 for non-compliance with the requirements related to the appointment of its DPO under Art. 38(6) of the GDPR. This Article states that the Data Protection Officer (DPO) may fulfill other tasks and duties, but that the controller or processor must ensure that any such tasks and duties do not result in a conflict of interests. According to the Litigation Chamber of the DPA, by appointing its Head of Compliance, Risk management and Audit departments as DPO, the company did not ensure that the DPO’s tasks are free from any conflict of interests and, therefore, infringed the GDPR. This fine is the highest issued by the Belgian DPA so far.
The decision of the Litigation Chamber follows an investigation carried out by the Inspection Service of the DPA in the context of the notification of a personal data breach. This data breach concerned the sending of email communications, including invoices, to incorrect recipients (namely, to secondary email addresses linked with the customer in the organization’s database but without a direct link with that customer, in addition to the primary email address).
In its report, as remitted to the Litigation Chamber, the Inspection Service raised three alleged infringements of the GDPR:
The first and second allegations were dismissed by the Litigation Chamber of the Belgian DPA, which concluded to an absence of infringement of Art. 31 and Art. 5.2, 24.1 and 33 GDPR in the case at hand.
In relation to the alleged lack of consultation of the DPO in the risk assessment related to the data breach, the Litigation Chamber stressed the importance of documenting data breaches, including the risk assessment, and involving the DPO as early as possible in the data breach assessment process. In the case at hand, the Litigation Chamber, however, upheld that the DPO was sufficiently involved in discussions about the data breach process.
In relation to the alleged infringement of Art. 38.6 GDPR, the Litigation Chamber followed the allegations of the Inspection Service and ruled that, by combining the functions of Head of Compliance, Risk Management and Audit departments with the role of DPO, the company had not complied with the obligation to ensure that the DPO’s tasks were exempt from conflict of interests. The reasoning of the Litigation Chamber is the following:
In light of the above, the Litigation Chamber ordered the organization to take measures to cure this breach within a period of three months and imposed an administrative fine of EUR 50,000, namely the highest fine issued by the Belgian DPA so far.
The Litigation Chamber viewed the infringement at stake as a serious negligence, pointing out that the organization should have been better prepared to comply with the obligation to appoint a DPO under the GDPR, in particular, given that its core business activity involves processing of personal data, including sensitive data, on a very large scale.
The Belgian DPA’s decision may result in difficulties for companies that need or wish to appoint, or have appointed, a DPO who combines other tasks and duties than those bestowed upon the DPO.
Under Article 38.6. GDPR, the DPO is allowed to exercise other tasks and duties, if this does not result in a conflict of interests. In its Guidelines on DPOs, see reference below, the WP29 gives examples of senior management positions that generally generate conflicts of interests because they result in the DPO defining the purposes and means of the personal data processing. These positions are chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments.
The Belgian DPA seems to have a very broad interpretation of the notion of ‘conflict of interests’, considering that not only the functions identified by the WP29 could be considered as conflicting positions for the DPO, but also any position of head of a department in the organization, including head of the compliance or legal department. In addition, it may also be insufficient to have measures in place to mitigate the risk of conflicts of interest, e.g., guidelines or policies such as a ‘DPO Charter’ that was implemented by the sanctioned company.
In practice, it may become very difficult for organizations to find the right person to act as DPO. Combining the role of DPO with other roles lower down in the organizational structure may also be problematic for the reason that it cannot be excluded that more operational roles may be involved in the determination of purposes and means of processing activities, e.g., due to their involvement in such activities, as explained in the WP29’s Guidelines, or because these persons would then not have be sufficiently independent from – or would not have a direct access to – the management of the organization.
In any event, it will be interesting to follow the evolution of the Belgian DPA’s case law in this matter, in particular if the defendant decides to appeal this decision. According to information published in the press, it seems that, although the company remains convinced that what they put in place regarding their DPO was in line with GDPR, it will not appeal the decision.
It is also worth noting that it is not the first time that the Belgian DPA, in particular the Litigation Chamber, issues a decision in relation to Art. 38.6 GDPR. In a decision of 28 May 2019, Decision ANO 04/2019 – File number DOS-2019-00352, see reference below, the Litigation Chamber considered that, although Art. 38.4 GDPR states that data subjects may contact the DPO with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR, decisions relating to the exercise of data subjects’ rights must be taken by the data controller itself by virtue of Art. 12 and 17 GDPR, not by the DPO. In its decision, the Litigation Chamber decided to issue a warning, on the basis of Art. 58.2.a GDPR, to the data controller about the fact that the contemplated processing, the DPO had indicated that he had decided to delete the data subject’s personal data, infringed Art. 38.6 GDPR and to publish its decision.
Whether your organization has already appointed a DPO or is contemplating appointing one, it would be wise to take the decisions of the Belgian DPA into account in such appointment and:
One can question whether the decisions of the Belgian DPA may have an impact in other EU Member States. In light of the consistency approach under the GDPR, it would indeed make sense that data protection authorities adopt a common interpretation of Art. 38.6 GDPR and of the scope of conflict of interests.
For the time being, we are, however, not aware that any other data protection authority would have an interpretation that is as strict as the decision of the Litigation Chamber of the Belgian DPA.