One Hat Too Many for the European Data Protection Officer

When companies appoint a Data Protection Officer in accordance with the General Data Protection Regulation, many have considered giving the role to an existing employee. A recent decision from the Belgian Data Protection Authority may require companies to re-think this approach, and avoid having the Data Protection Officer wearing “incompatible hats.”

DECISION AND ITS SIGNIFICANCE

On April 28, 2020, the Belgian Data Protection Authority (DPA) fined major Belgian telecom provider Proximus EUR 50,000 for appointing a data protection officer (DPO) who also headed three other departments, namely the compliance, risk management, and internal audit departments. The DPA considered such a combination to be a conflict of interest. The decision is noteworthy because:

• The DPA seems to take the position that any senior management position (involving determinations for the processing of personal information) is incompatible with the DPO role, even if the position is advisory, while prior EU guidance focused on executive management positions such as CEO, CFO, and COO. The decision may be disruptive for companies with a DPO who also fulfills a senior management position, e.g., head of compliance, risk, or audit. Actually, it isn’t clear which senior management position would still be acceptable to combine with the DPO role (since most positions would involve some determination for the processing of personal information).
• Also, the fine is the largest issued by the DPA since the General Data Protection Regulation 2016/679 (GDPR) came into effect. However, the amount (EUR 50,000) appears small in comparison to what other authorities have imposed such as the French CNIL’s 50 million fine against Google.

We provide more background and details on the decision below. 

WHAT IS A DATA PROTECTION OFFICER?

Under Article 37 of the GDPR, the centerpiece legislation for data protection in the EU, organizations that meet certain thresholds are required to appoint a DPO (e.g., in relation to large scale processing of sensitive or criminal information, or monitoring individuals’ behavior). The DPO is a multifaceted function that involves monitoring and advising organizations on privacy compliance and strategy, assisting in managing risk, accountability, and crises such as data breaches, and managing internal privacy matters (e.g., taking complaints from employees about privacy violations) and external issues with data protection authorities for example. Given the nature of the DPO role, the GDPR (Art. 38) sets a number of requirements to ensure that the DPO performs its tasks appropriately, including sufficient resources, a direct reporting line to management, confidentiality commitments when performing its tasks, as well as independence and being clear of functional conflicts of interest.

In addition, the Article 29 Working Party (a pre-GDPR consortium of EU data protection authorities, now replaced by the European Data Protection Board) issued Guidelines on DPOs in December 2016 (“DPO Guidelines”). Regarding conflicts of interest, the DPO Guidelines set out on page 16 that: 

• A DPO cannot hold a position in another department within an organization where the department “determines the purposes and means” of the processing of personal information. Whether that is the case requires a factual assessment, as it depends on the organization’s corporate structure.
• Conflicting positions within an organization may include, for example, senior management positions such as CEO, CFO, COO, chief medical officer, or head of marketing, human resources or IT, but also positions lower down the chain, if those positions enable a determination of the purposes and means of the processing of personal information.

HOW DID THE DECISION EMERGE?

Proximus, a major Belgian telecom provider, submitted a security breach notification to the DPA. During the investigation of the security breach, the DPA’s investigator identified and argued that it found multiple GDPR infringements, including a lack of cooperation with the DPA, an insufficient process for determining the level of risks of harm of a security breach, and conflict of interest on the part of the DPO. However, the organization was only found liable and fined for the DPO’s conflict of interest.

ONE HAT OR THREE HATS TOO MANY – WHEN ARE INTERESTS CONFLICTED?

The DPA indicated that the conflict of interest was particularly apparent because the DPO was also the head of three other departments within the organization, in which capacities the DPO was empowered to determine the purposes and means of the processing of personal information activities by those departments. As a result, the DPA considered that there had been a lack of independent oversight of the processing activities. It is interesting to see that the DPA seems to take a stricter approach than the DPO Guidelines. The DPO Guidelines set out that senior management positions may be incompatible with the DPO role, in particular those with executive activities, but not that they are incompatible per se. The organization argued that the DPO Guidelines suggest that executive functions are incompatible with the DPO role, but not advisory functions (such as head of compliance, risk, or audit). In contrast, the DPA seems to contend that senior management positions within departments that process personal information are structurally incompatible with the DPO role. A relevant question in this regard (which the decision doesn’t answer) is whether the DPA would have also opposed combining the role of DPO with only one of the other positions. The challenge in the current case may indeed have been that the DPO combined three key advisory roles so that core compliance reporting avenues may have been bottlenecked and controlled by the DPO.

Also noteworthy is that, regarding the position as head of internal audit, the DPA indicated that the internal audit department was responsible for the review and recording of internal practices, which may ultimately lead to employee dismissals. As one of the requirements of a DPO is to be accessible to and approachable for employees, the DPA considered that combining a DPO role with an Internal Audit position could cause employees to be reluctant to approach the DPO and prevent the DPO from meeting its secrecy and confidentiality requirements (e.g., because what the DPO learned from the employee may need to be recorded or reported for compliance reasons in its capacity as head of compliance or risk management). It is unclear how far the DPO’s secrecy and confidentiality duties carry, and also who they seek to benefit. The GDPR is concise on this point, and seems to grant Member States flexibility in how to implement that requirement (Art. 38.5). And while the Belgian Data Protection Act is silent on this point, the DPA’s reasoning suggest that the secrecy and confidentiality requirements seek to protect individuals who may engage with the DPO when making complaints or inquiries.

JUSTIFICATION FOR FINE

The DPA ordered the organization to resolve the conflict of interest, and issued a EUR 50,000 fine. The DPA found that, although there had been no evidence of intentional infringement, there had been serious negligence on the organization’s part because:

• The DPO is a pivotal function under the GDPR.
• The organization processes personal information of a millions of individuals.
• The concept of a DPO has existed for many years in many EU Member States prior to the GDPR, and is not new.
  
  • This is somewhat surprising. Although a role similar to that of the DPO existed in Belgium’s previous national law (Art. 17bis) prior to the GDPR, this role was different in many respects from the GDPR’s definition of a DPO (see the DPA’s April 2017 recommendation for DPOs). In particular, the appointment of a Belgian DPO was required by sectoral laws only, and focused mainly on public sector fields (e.g., access to the national ID register, Social Security, and hospitals). As the DPA itself points out in its recommendation (point 17), the GDPR role goes “far beyond what is foreseen by the [pre-GDPR EU data protection] directive 95/46 and what various national implementing rules of that directive have set out.”  
  • The organization was required under the GDPR to appoint a DPO, it was not a voluntary decision.
  • The requirement to appoint a DPO existed from the moment that the GDPR came into effect on May 25, 2018. Thus, the organization had been in breach of the GDPR’s DPO requirement as of that moment.
    
    • This reasoning is also important. It potentially means that any breach of the GDPR’s DPO requirements, or other structural requirements (e.g., appointing a representative in the EU under Art. 27), would be long-term breaches (instead of, e.g., only if the DPA challenges an interpretation).

Finally, as explained above, the investigation by the DPA was triggered by a security breach notification and spiraled into a broader investigation. The DPA was empowered to investigate because it has the authority to lodge discretionary investigations into any aspect of a company’s GDPR compliance. This underscores the importance of carefully considering breach notifications. When making breach notifications, companies should not only consider the potential breach at hand, but also more generally their compliance with the GDPR requirements.