DPO and conflict of interest: the Belgian DPA issues a 50,000 EUR fine

May 4, 2020

Written by Jane Murphy

gavel

On 28 April 2020, the Belgian Data Protection Authority (“DPA”), fined a Belgian company 50,000 EUR for breach of article 38 (6) of the GDPR. The DPA’s Litigation Chamber found that the DPO was not in a position that is sufficiently free from conflict of interest because the DPO also fulfilled the function of director of audit, risk and compliance.

The Litigation Chamber stated that the administrative fine was not imposed with the intention to terminate the violation, but rather with a view to vigorously enforce the rules of the GDPR. In this respect, the Litigation Chamber specified that, although there was no element showing an intentional infringement, there was serious negligence on the part of the defendant. Please find below a non-official English translation of the excerpt of the decision which covers the DPO conflict of interest.

Follow this link to read the full version of the DPA’s decision (available only in Dutch): https://lnkd.in/dNXzrUt

NON-OFFICIAL ENGLISH TRANSLATION

Decision of the Belgian Data Protection Authority of  28 April 2020 :

DPO conflict of interest

 

Litigation Chamber

Decision on the substance 18/2020 of 28 April 2020

File number : AH-2019-0013

Subject: Inspection report on responsibility in the event of data leaks and position data protection officer

[…]

Page 13:

d) Position of the Data Protection Officer (Article 38 GDPR)

  1. The Inspection service’s report makes the following observations on the position of the Data Protection Officer:

In addition to that function, the defendant’s DPO also fulfils the function of director of audit, risk and compliance at the defendant’s premises.

This file shows that the DPO is not in a position that is sufficiently free from a conflict of interest (as imposed by Article 38(6) GDPR) and is not sufficiently involved in discussions on personal data breaches (as imposed by Article 38(1) GDPR).

Insufficient involvement of the DPO:

  • The defendant’s DPO is only informed of the outcome of the risk assessment. In this respect, we refer to the letter of 12/06/2019 in which the RACI matrix under point 1.4.2.2 indicates that its DPO is only “informed” and not “consulted”. However, Article 38(1) GDPR requires the DPO be duly and timely involved in all matters related to the protection of personal data.
  • The fields “DPO’s advice” were until recently systematically not filled in by the defendant. It appears from the explanation in section 1.4.2.2 of the defendant’s letter of 12/06/2019 (document 13) that the discussion on risk belongs to the “business” (which is also reflected in the RACI matrix referred to above) and that, until recently, the opinion of the Data Protection Officer was not included in the defendant’s model form (“Personal Data Breach Investigation Report”).

Conflict of interest of the Data Protection Officer

  • Conflicting tasks. The defendant states in its letters of 03/04/2019 and of 12/06/2019 that its Data Protection Officer only has an advisory role and cannot make decisions about the purposes and means of the processing, which is also mentioned in the [Article 29 Working Party’s Guidelines for Data Protection Officers (DPO)].[1] However, the existence of a conflict of interest is not limited to cases where a person determines the purposes and means of the processing. Conflicts of interest must always be assessed on a case-by-case basis. The aforementioned letter from the defendant shows that its Data Protection Officer is doing more than advising the defendant internally as that person performs conflicting tasks within Y (the defendant) which entail significant operational responsibility for data processing processes falling under the domain of audit, risk and compliance.
  • Pragmatic approach in Germany and in legal doctrine,[2] which […] refer to criteria such as (1) the existence or absence of self-monitoring by a leading function holder within the company, (2) the existence or absence of internal rules on conflicts of interest, and (3) bearing a significant operational responsibility with an impact on personal data, ….
  • Until recently, the defendant did not have a policy to prevent conflicts of interest. Only after registered letters from the DPA of 04/03/2019 and 16/05/2019 questioning the position of the Data Protection Officer, an undated document “Y (defendant) DPO Charter” was delivered via the defendant’s letter of 12/06/2019, still to be put on the agenda of the Audit and Compliance Committee in July 2019 (as mentioned on page 6 of the aforementioned defendant’s letter). The drafting of such a document does not imply that the independence of the DPO is sufficiently demonstrated.

As regards the involvement of the Data Protection Officer, the defence stresses that the Inspection service’s conclusion is based on a legal and a factual misinterpretation.

According to the defendant, as set out in its written pleadings it would be sufficient, for the purposes of Article 38.1 GDPR, for the DPO to be informed, as part of his involvement, but this provision does not impose a specific obligation to be consulted, contrary to what is stated in the Inspection report.

The Litigation Chamber is of the opinion that the defendant’s position is not in line with the ratio legis and is not a meaningful interpretation of Article 38.1 GDPR, which provides that the DPO “shall be duly and timely involved in all matters concerning the protection of personal data”. By reducing the involvement of the DPO to merely (ex post) informing him of a decision, his function is eroded.

In this context, the Litigation Chamber refers in particular to the Article 29 Working Party’s Guidelines for DPOs[3], which underline the crucial importance of the DPO’s involvement as early as possible in all data protection related matters. Ensuring that the DPO is informed and, even more importantly, consulted from the outset will enable compliance with the General Data Protection Regulation.

Moreover, this promotes compliance with a data protection approach by design, as provided for in Article 25 GDPR, which should therefore become the standard procedure within the organisation’s management.

The Litigation Chamber finds that the defendant has misinterpreted Article 38.1 GDPR. However, it has been sufficiently demonstrated to the Litigation Chamber that, with regard to the risk assessment process, in practice the Data Protection Officer is involved and carries out an independent analysis of the privacy risk himself, prior to the final decision on the risk, by providing advice and his assistance as adviser.

On the outcome of the risk assessment, that a final decision has been taken by the representatives within the team or department responsible for the services or clients affected, the Data Protection Officer is only informed, not consulted. This corresponds to Article 38.1 in conjunction with Article 39.1. (a) GDPR requiring the DPO to act in an advisory capacity towards the data controller but not to be co-responsible for the final decision. On this basis, the Litigation Chamber confirms that the DPO will only be informed of the final risk decision.

The Litigation Chamber decides that on the one hand the defendant misinterprets the position of the Data Protection Officer, but that on the other hand it is plausible that in practice the Data Protection Officer is sufficiently involved. Therefore, no breach of Article 38.1 GDPR can be established.

As regards the Inspection service’s finding that there is a conflict of interest with respect to the DPO by virtue of the fact that he is also responsible for compliance, risk management and internal audit, the defendant argues that in the exercise of each of these functions, the person concerned does not take decisions himself, but his role is purely advisory. Moreover, the necessary measures would have been taken internally to avoid the risk of conflicts of interest. These measures were formalized in a DPO Charter which was validated by the defendant’s Audit Committee on 29 July 2019.

During the hearing, the Litigation Chamber examined the impact of the DPO on the decision-making under his other functions. As regards the role of the DPO, the Litigation Chamber raises how this is compatible with the function of conducting internal audits in which a report can identify certain elements that could lead to the dismissal of a particular employee, if appropriate. In this context, it is important to know whether the Data Protection Officer, who also holds the position of Head of Internal Audit, also has the right of decision in that capacity.

The Litigation Chamber emphasises that there is a difference between merely analysing processes and assessing the functioning of employees through internal audit, which is at odds with the position of trust held by the Data Protection Officer within the company. In this regard, the defendant argues that there is no problem of compatibility because the Data Protection Officer, as Head of Internal Audit, does not take or review individual decisions concerning employees.

The Litigation Chamber notes that in its conclusion, the defendant elaborates extensively on the independence and advisory role of each of the three departments, namely the Compliance department, Internal Audit department and Risk Management department, vis-à-vis the other departments of the company. Thus, the defendant states that the Audit, Compliance and Risk roles involve only limited risks of conflicts of interest, because they have “advisory” functions and have no decision-making power with respect to processing activities. This leads the defendant to state that the Data Protection Officer has no duties (including through his functions in each of the departments) that would allow him to make decisions about the purposes and means of any processing of personal data.[4]

The Litigation Chamber is of the opinion that this does not demonstrate that the Data Protection Officer who is part of each of these departments and holds a position of responsibility in them does not perform tasks that are incompatible with his position as Data Protection Officer.

The Litigation Chamber thus notes that the independence and advisory role of the department as such cannot simply be extended to the person who simultaneously holds the position of Data Protection Officer and that of data controller in a department.

The Litigation Chamber should assess how and to what extent the independence of the Data Protection Officer is ensured with regard to each of these three departments, in particular in a situation like the present one where the Data Protection Officer is not only part of, but also assumes the role of data controller for these departments.

Indeed, the defendant explicitly states that, in addition to the responsibilities as data controller, the same person is also responsible for compliance, risk management and internal audit.[5] The defendant himself thus designates the same physical person as controller for each of the three departments and as Data Protection Officer. This responsibility for each of these three departments unmistakably implies that that person in that capacity determines the purposes and means of the processing of personal data within these three departments and is thus responsible for the data processing processes that fall under the domain of compliance, risk management and internal audit as identified in the inspection report.

The Article 29 Working Party Guidelines for Data Protection Officers[6] explain that the Data Protection Officer cannot hold a position within the organisation in which he or she has to determine the purposes and means of processing personal data. This is thus an essential conflict of interest. The role of departmental manager is thus inconsistent with the function of DPO who must be able to perform his or her tasks independently. The cumulation of the function of data controller for each of the three departments concerned on the one hand, and the function of Data Protection Officer on the other, on the basis of the same physical person, lacks any possible independent supervision by the Data Protection Officer for each of these three departments. Moreover, the cumulation of these functions may lead to an insufficient guarantee of secrecy and confidentiality vis-à-vis staff members in accordance with Article 38.5 of the GDPR. Consequently, the Litigation Chamber is of the opinion that the infringement of Article 38.6 GDPR has been proven.

It is important that the Data Protection Officer is able to perform his tasks and duties with respect for the position assigned to him under Article 38 GDPR, in particular that he can act without a conflict of interest. Therefore, the Litigation Chamber instructs the defendant to bring the processing in this respect in line with Article 38.6 of the GDPR and thus ensures that these tasks or duties do not lead to a conflict of interest.

Taking into account the fact that the GDPR has assigned a key role to the Data Protection Officer by giving him an informative and advisory role with regard to the data controller on all matters relating to the protection of personal data, including the notification of data breaches, the Litigation Chamber will also impose an administrative fine.

In addition to the corrective measure to bring the processing in line with Article 38.6 of the GDPR, the Litigation Chamber also decides to impose an administrative fine that is not intended to terminate a violation committed, but with a view to vigorously enforcing the rules of the GDPR. As can be seen from Recital 148, the GDPR requires that, in the event of serious infringements, penalties, including administrative fines, be imposed in addition to or instead of appropriate measures.[7] The Litigation Chamber does this in application of Article 58.2 i) GDPR. The instrument of an administrative fine is therefore in no way intended to end infringements. To this end, the GDPR and the WOG[8] provide for a number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9° WOG. First of all, the nature and seriousness of the infringement is taken into account by the Litigation Chamber in order to justify the imposition of this sanction and its amount.

In this respect, the Litigation Chamber finds that, although there is no element showing that there has been an intentional infringement, there is serious negligence on the part of the defendant. Although the DPO is a function that the GDPR made mandatory at European level for the first time, the concept of a DPO is not new and has existed for a long time in many Member States and in many organisations.[9]

In addition, the Article 29 Working Party already adopted guidelines for these officials on 13 December 2016. These guidelines were revised on 5 April 2017 following a wide-ranging public consultation. As shown below, these guidelines are clear on the extent to which the DPO can also perform other functions within the company, taking into account the organisational structure specific to each organisation and to be assessed on a case-by-case basis.

In short, in the opinion of the Litigation Chamber, there is no doubt that the cumulation of the function of Data Processing Officer with a function as head of a department to be supervised by the Data Processing Officer cannot be done in an independent manner.

An organisation such as the defendant may be expected to prepare carefully for the introduction of the GDPR and to do so from the time the GDPR enters into force, in accordance with article 99 of the GDPR in May 2016. After all, the processing of personal data is a core activity of the defendant, which, moreover, processes personal data on a very large scale, including personal data that may have a high degree of sensitivity for data subjects, partly because they enable regular and systematic observation.[10]

The duration of the breach is also taken into account. The Data Protection Officer has been created in the GDPR applicable since 25 May 2018, so that the breach of Article 38.6 GDPR has been established since that date. In any case, the infringement continued on the date of the hearing, i.e. 14 February 2020.

Finally, the defendant is processing personal data of millions of people. Ineffective safeguards for the protection of personal data, in particular the appointment of a Data Protection Officer who does not meet the requirement of independence and thus cannot act free from any conflict of interest, thus have a potential impact on millions of data subjects.

All the elements set out above justify an effective, proportionate and dissuasive sanction, as provided for in Article 83 of the GDPR, taking into account the assessment criteria laid down therein, amounting to EUR 50 000. The Litigation Chamber points out that the other criteria set out in Article 83.2. GDPR in this case are not of the nature that they result in an administrative fine other than that established by the Litigation Chamber in the context of this decision.

e) Publication of the decision

Given the importance of transparency in relation to the decision of the Litigation Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the identification of the parties to be published directly for this purpose.

FOR THESE REASONS,

the Data Protection Authority’s Litigation Chamber, after deliberation, decides to:

– Pursuant to Article 100, §1, 9° WOG, order the defendant to bring the processing in accordance with Article 38.6 GDPR. For this purpose, the Litigation Chamber gives the defendant a term of three months and the Litigation Chamber expects the defendant to report to her by 31 July 2020 at the latest on bringing the processing in line with the aforementioned provisions;

– to impose an administrative fine of EUR 50,000 pursuant to Article 100, §1, 13° WOG and Article 101 WOG.

An appeal against this decision can be lodged with the Market Court[11] within a period of thirty days from the notification, pursuant to Article 108, §1 of the WOG, with the Data Protection Authority as defendant.

 

 

(sgd.) Hielke Hijmans

President of the Litigation Chamber

_____

[1]  WP 243Rev01, pp 20-21.

[2] Press release of the Bavarian Supervisory Authority of 20/10/2016 on an IT manager published on https://www.lda.bayern.de/media/pm2016 OS.pdf and commented on https://iapp.org/news/a/german-company-fined-for-dpoconflict-of-interest/ as well as legal doctrine on the subject (in particular F. SCHRAM, The Data Protection Officer, Cahier edition 2, Politeia, 2019, 119-121).

[3]It is crucial that the DPO, or his team, is involved as early as possible in all data protection related matters. As regards data protection impact assessments, the General Data Protection Regulation explicitly mentions that the DPO should be involved at an early stage and specifies that the controller should seek advice from the DPO when carrying out such impact assessments. Ensuring that the DPO is informed and consulted from the outset will enable compliance with the General Data Protection Regulation and promote a privacy approach by design, which should therefore become standard procedure within the organisation’s management. It is also important that the DPO is seen as an interlocutor within the organisation and that he/she is part of the relevant working groups dealing with data processing within the organisation”, WP24301 Rev, para 3.1. of the Guidelines, underlined by Litigation Chamber.

[4] Conclusion defendant, nos 166 and 167.

[5] See letter to the DPA dated 3 April 2019, quoted in the conclusion.

[6] According to Article 38(6), Data Protection Officers may “carry out other duties and tasks”. However, for this purpose, the organisation must ensure that “these tasks or duties do not give rise to a conflict of interest”.

The absence of a conflict of interest is closely linked to the requirement to act autonomously. Although DPOs may hold other functions, they can only be entrusted with other tasks and duties if they do not give rise to any conflict of interest. In particular, this means that the DPO cannot hold a position within the organisation in which he or she has to determine the purposes and means of the processing of personal data. Given the specific organisational structure of each organisation, this should be assessed on a case-by-case basis.

As a rule of thumb, positions within the organisation that involve a conflict of interest are considered to include senior management positions (e.g. Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, Head of Marketing, Head of Human Resources or Head of IT), as well as lower-level positions within the organisational structure where these individuals are required to determine the purposes and means of data processing. In addition, a conflict of interest may also arise, for example, when an outside data protection officer is asked to represent the controller or processor in court in litigation over data protection issues.

Depending on the activities, size and structure of the organisation, it may be good practice for data controllers or processors:

  • identify the positions that may be incompatible with the position of data protection officer;
  • establish internal rules to this end in order to avoid conflicts of interest;
  • include a more general explanation of conflicts of interest;
  • declare that their DPO does not have a conflict of interest in his function as DPO, as a way of sensitising others to this requirement;
  • include safeguards in the organisation’s internal rules of procedure and ensure that the vacancy for the position of data protection officer or service contract is sufficiently precise and detailed to avoid conflicts of interest. In this regard, we must take into account that conflicts of interest can take various forms depending on whether the DPO is recruited internally or externally.

WP243Rev01, para 3.5, underlined by Litigation Chamber.

[7] Recital 148 states that “In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative pecuniary sanctions, should be imposed for any breach of the Regulation in addition to, or instead of, appropriate measures imposed by the supervisory authorities under this Regulation”. In the case of a minor breach or where the likely fine would impose a disproportionate burden on a natural person, a reprimand may be chosen instead of a fine. However, account should be taken of the nature, seriousness and duration of the breach, the intentional nature of the breach, harm reduction measures, the degree of responsibility or previous relevant breaches, the manner in which the breach came to the knowledge of the supervisory authority, the compliance with the measures taken against the controller or processor, the adherence to a code of conduct and any other aggravating or mitigating factors. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective remedy and due process.

[8] Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG.

[9] See among others WP243Rev01, para 1.

[10] Reference is made, inter alia, to Article 37(1). GDPR. See in this context also the case law of the European Court of Justice on the potentially sensitive nature of telecommunications data, e.g. Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others, ECLI:EU:C:2014:238, para 37.

[11] This is a section within the Brussels Court of Appeal that is (exclusively) competent for specific types of cases such as appeal against decisions of the Competition Authority, the FSMA, BIPT, CREG or other regulators.

Follow us on Linkedin for daily breaking GDPR news!

Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!