Belgium: DPA decisions on DPO requirements

Background and decision of the Belgian DPA

The decision of the Litigation Chamber follows an investigation carried out by the Inspection Service of the DPA in the context of the notification of a personal data breach. This data breach concerned the sending of email communications, including invoices, to incorrect recipients (namely, to secondary email addresses linked with the customer in the organization’s database but without a direct link with that customer, in addition to the primary email address).

In its report, as remitted to the Litigation Chamber, the Inspection Service raised three alleged infringements of the GDPR:

• Firstly, an alleged lack of cooperation with the DPA in the performance of its tasks, in particular the fact that the organization would have used various means to complicate the mandatory cooperation with the authority, referring to the so-called “Ten D’s” techniques, Art. 31 GDPR.
• Secondly, a failure to comply with the accountability principle, in particular with regard to the application of the risk assessment in relation to the reporting of a data breach, Art. 5.2 GDPR in coordination with Art.  24.1 and 33 GDPR.
• Thirdly, a lack of appropriate involvement of the DPO in relation to the data breach, in particular, the fact that the DPO was merely informed and not consulted in relation to the risk-assessment, Art. 38.1 GDPR, and an incompatibility between the DPO’s function as Head of Compliance, Risk Management and Audit departments and its DPO role, Art. 38.6 GDPR.

The first and second allegations were dismissed by the Litigation Chamber of the Belgian DPA, which concluded to an absence of infringement of Art. 31 and Art. 5.2, 24.1 and 33 GDPR in the case at hand.

In relation to the alleged lack of consultation of the DPO in the risk assessment related to the data breach, the Litigation Chamber stressed the importance of documenting data breaches, including the risk assessment, and involving the DPO as early as possible in the data breach assessment process. In the case at hand, the Litigation Chamber, however, upheld that the DPO was sufficiently involved in discussions about the data breach process.

In relation to the alleged infringement of Art. 38.6 GDPR, the Litigation Chamber followed the allegations of the Inspection Service and ruled that, by combining the functions of Head of Compliance, Risk Management and Audit departments with the role of DPO, the company had not complied with the obligation to ensure that the DPO’s tasks were exempt from conflict of interests. The reasoning of the Litigation Chamber is the following:

• Involvement in the decision-making process: as head of Compliance, Risk Management and Audit departments, the DPO will necessarily take decisions about the purposes and means of the data processing taking place in the context of the activities of these departments, e.g., internal investigations, audits, etc. Consequently, the DPO cannot act with the independence required by Art. 38.6 GDPR.
• Lack of secrecy and confidentiality: the dual role of DPO and of head of these departments may lead to insufficient guarantees of secrecy and confidentiality concerning the performance of the DPO’s tasks towards the staff members of these departments, in violation with Art. 38.5 GDPR.

In light of the above, the Litigation Chamber ordered the organization to take measures to cure this breach within a period of three months and imposed an administrative fine of EUR 50,000, namely the highest fine issued by the Belgian DPA so far.

The Litigation Chamber viewed the infringement at stake as a serious negligence, pointing out that the organization should have been better prepared to comply with the obligation to appoint a DPO under the GDPR, in particular, given that its core business activity involves processing of personal data, including sensitive data, on a very large scale.

Impact on the DPO’s role

The Belgian DPA’s decision may result in difficulties for companies that need or wish to appoint, or have appointed, a DPO who combines other tasks and duties than those bestowed upon the DPO.

Under Article 38.6. GDPR, the DPO is allowed to exercise other tasks and duties, if this does not result in a conflict of interests. In its Guidelines on DPOs, see reference below, the WP29 gives examples of senior management positions that generally generate conflicts of interests because they result in the DPO defining the purposes and means of the personal data processing. These positions are chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments.

The Belgian DPA seems to have a very broad interpretation of the notion of ‘conflict of interests’, considering that not only the functions identified by the WP29 could be considered as conflicting positions for the DPO, but also any position of head of a department in the organization, including head of the compliance or legal department. In addition, it may also be insufficient to have measures in place to mitigate the risk of conflicts of interest, e.g., guidelines or policies such as a ‘DPO Charter’ that was implemented by the sanctioned company.

In practice, it may become very difficult for organizations to find the right person to act as DPO. Combining the role of DPO with other roles lower down in the organizational structure may also be problematic for the reason that it cannot be excluded that more operational roles may be involved in the determination of purposes and means of processing activities, e.g., due to their involvement in such activities, as explained in the WP29’s Guidelines, or because these persons would then not have be sufficiently independent from – or would not have a direct access to – the management of the organization.

In any event, it will be interesting to follow the evolution of the Belgian DPA’s case law in this matter, in particular if the defendant decides to appeal this decision. According to information published in the press, it seems that, although the company remains convinced that what they put in place regarding their DPO was in line with GDPR, it will not appeal the decision.

It is also worth noting that it is not the first time that the Belgian DPA, in particular the Litigation Chamber, issues a decision in relation to Art. 38.6 GDPR. In a decision of 28 May 2019, Decision ANO 04/2019 – File number DOS-2019-00352, see reference below, the Litigation Chamber considered that, although Art. 38.4 GDPR states that data subjects may contact the DPO with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR, decisions relating to the exercise of data subjects’ rights must be taken by the data controller itself by virtue of Art. 12 and 17 GDPR, not by the DPO. In its decision, the Litigation Chamber decided to issue a warning, on the basis of Art. 58.2.a GDPR, to the data controller about the fact that the contemplated processing, the DPO had indicated that he had decided to delete the data subject’s personal data, infringed Art. 38.6 GDPR and to publish its decision.

Our take-aways

Whether your organization has already appointed a DPO or is contemplating appointing one, it would be wise to take the decisions of the Belgian DPA into account in such appointment and:

• To the extent possible, try to limit the risk of conflicts of interests by avoiding to appoint as DPO someone who is the head of a department in your organization and/or who is responsible for taking decisions on activities involving personal data, including within his/her department.
• As an additional safeguard, ensure that you have in place clear guidelines or policies in the, unlikely, event where your DPO would face a conflict of interests, for example, foresee a ‘four eyes’ review process or a possibility of having a substitute DPO able to take decisions independently from the DPO in case of conflicting situations, it being noted that this substitute DPO must also meet the GDPR requirements.
• Consult your DPO from the earliest stage possible in case of suspected data breach and ask his/her opinion on the risk posed by the breach, it being noted that any decision in that respect, including whether to notify the breach, should be taken by the data controller or processor.
• Avoid that your DPO takes decisions (such as deleting personal data) in the context of the exercise of their rights by data subjects.

Impact on DPO’s role in other EU Member States

One can question whether the decisions of the Belgian DPA may have an impact in other EU Member States. In light of the consistency approach under the GDPR, it would indeed make sense that data protection authorities adopt a common interpretation of Art. 38.6 GDPR and of the scope of conflict of interests.

For the time being, we are, however, not aware that any other data protection authority would have an interpretation that is as strict as the decision of the Litigation Chamber of the Belgian DPA.