The Organisation (defendant) designated their Head of Compliance, Risk and Audit as their Data Protection Officer (DPO). The DPA ruled that in doing so, the Organisation violated art. 38(6) GDPR which requires that any tasks of the data protection officer do not result in a conflict of interest. According to the defendant, no conflict of interest took place as the assigned DPO was not in charge of any decision-making regarding personal data processing. However, based on the defendant’s role as compliance, risk and audit person in charge, the DPA found that in fact, he was at least partially accountable for the processing of personal data. Consequently, the DPA deemed it highly unlikely, that the assigned DPO would be in a position to independently oversee any data processing activities. As a result, the DPA ruled that the Organisation acted contrary to art. 38(6) GDPR and imposed an administrative fee of €50.000. To underline the gravity of the offence, this is the highest administrative fee the Belgian Data Protection Authority has issued up to now.
Impact on Organisations
As can be seen from the ruling, the DPA interprets the “conflict of interest” criterion very strictly. What Organisations should take from the DPA’s ruling is that the role of the DPO should, if possible, not be combined with heading other departments of the organisation as this will almost certainly result in an inability to act independently. If the roles of a DPO are being combined with other departments, it is of crucial importance to uphold the GDPR’s independence requirement as laid down in art. 38(6) GDPR
The full decision (in Dutch) can be found here.