In a decision dated 28 April 2020 (only available in French and Dutch), the Belgian Data Protection Authority (“DPA”) had the opportunity to reiterate the fundamental role of the Data Protection Officer (“DPO”) and the need to ensure that the latter’s tasks and duties do not result in a conflict of interest. In the context of an investigation following a self- reported data breach by Proximus (which itself was not considered by the DPA as a violation of the GDPR), the DPA’s Inspection Service observed a situation of conflict of interest in which Proximus’ DPO performed his tasks.
As a reminder, the GDPR imposes the obligation upon data controllers and processors to designate a DPO in any situation where (i) the data processing is carried out by a public authority or body, (ii) the data controller’s or processor’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or (iii) the data controller’s or processor’s core activities consist of large-scale processing of special categories of data pursuant to Article 9 and 10 of the GDPR. The DPO’s tasks
include, among other things, informing and advising interested parties of the obligations pursuant to data protection legislation and monitoring compliance with this legislation. Pursuant to Article 38.6 of the GDPR, the DPO may fulfil other tasks and duties; however, the data controller or processor must ensure that any such tasks and duties do not result in a conflict of interest.
In this case, Proximus’ DPO was also the head of the Compliance, Risk Management and Internal Audit departments. Proximus argued that in these functions its DPO takes on only an advisory role and does not take any decisions relating to the purposes and means of any data processing activity. According to the DPA, however, it follows from the fact that the DPO also acts as head of these departments that, in this capacity, he also determines the means and purposes of the data processing activities within these departments and as such is responsible for the data processing flows relating to compliance, risk management and internal audits. Any independent supervision of these departments by the DPO would therefore be impossible. In addition, secrecy and confidentiality towards employees could not be guaranteed.
The DPA therefore concluded that Proximus failed to protect its DPO from conflicts of interest in violation of Article 38.6 of the GDPR, and imposed a EUR 50,000 fine on the company. Proximus has already announced that it will not appeal the DPA’s decision before the Market Court.
The DPA’s decision is a reminder for companies that give their DPO other significant responsibilities within the company to ensure that any situations where conflicts of interest may arise are avoided and that the necessary measures and policies are in place - and duly documented - to mitigate such situations.
Please contact Karel Janssens for further information about this case and/or for general legal advice relating to privacy and data protection law.