The European Union’s General Data Protection Regulation (GDPR) requires that a company appoint a data protection officer (DPO) when one of three criteria is met:
- The organization is a public authority or body;
- The core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
Do these DPOs need to be a position on their own? Or can someone in the compliance department add the responsibility to his or her plate?
A recent ruling out of Belgium throws water onto that idea. On April 28, the Belgium Data Protection Authority (DPA) imposed a fine of €50,000 (U.S. $54,000) upon the company Proximus SA for violations of the GDPR regarding the appointment of a DPO. The case examined whether the company’s DPO also holding the role of director of audit, risk, and compliance went against the GDPR’s standard of conflict of interest.
Article 38 (6) of the GDPR states “the data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” Conflicts of interest are determined on a case-by-case basis.
In the case of Proximus SA (translated into English from its original form), the Belgian DPA found the company originally had no policy to prevent conflicts of interest regarding the role. The company argued that as head of audit, risk, and compliance, the individual’s role is merely advisory—not one that can make decisions—and thus “there would be necessary internal measures taken to avoid the risk of conflicts of interest.”
The DPA felt such an explanation undermined the responsibilities of the DPO. “This leads the defendant to argue that the officer responsible for data protection has no tasks (including through its functions in each of the departments) allowing him to make decisions about the purpose and means of any processing of personal data,” the DPA notes.
The DPA’s opinion continues as follows and offers a notable benchmark for companies to consider when appointing a DPO:
“The defendant expressly stipulates that in addition to the responsibilities as data protection officer that same person is also responsible for compliance, risk management and internal audit. … This responsibility for each of these three departments undeniably implies that the person in that capacity has the objectives of and the means for the processing of personal data within these three departments and is therefore responsible for the data processing processes [that] fall under the domain of compliance, risk management and internal audit as was established in the inspection report.
“The data protection officer within the organization cannot function where he or she has objectives and means for processing … personal data. This is therefore a material conflict of interest (emphasis added). The role of the person in charge of a department cannot therefore be reconciled with the position of data protection officer who must be able to carry out his duties independently. By cumulating the position of [responsibility] for each of the three relevant departments separately on the one hand and the position of data protection officer, on the other hand, is missing for each of these three departments any possible independent supervision by the official for data protection. In addition, accumulating these functions can cause the secrecy and confidentiality towards employees in accordance with article 38.5 GDPR cannot be guaranteed sufficiently. The Disputes Chamber is therefore of the opinion that the infringement of Article 38.6 GDPR has been proven.”