A MoFo Privacy Minute Q&A: Belgian Regulator Further Shapes the Contours on When to Appoint a DPO and Who Can Hold the Position

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Under the EU General Data Protection Regulation (GDPR), organizations must appoint a Data Protection Officer (DPO) if their core activities consist of processing operations that require regular and systematic monitoring of individuals on a large scale (GDPR Art. 37.1.a). The Belgian Data Protection Authority (DPA) recently provided its opinion on this requirement for cookies, as well as on conflicts of interest affecting a DPO role.

Question: Do I need to appoint a DPO if I use cookies?

Answer: Probably not. It depends on what you use the cookies for and how intrinsic they are to your business. In a recent decision, the DPA indicated that although cookies and HTTP variables (e.g., web beacons) are fundamentally intended as trackers (which would amount to a monitoring of individuals), they can in practice be used for many different purposes and not just monitoring (e.g., audience measuring or technical connection cookies, as opposed to behavioral advertising). Also, in this particular case, the use of monitoring cookies was not part of the organization’s “core activity.” As proof, the organization showed that it could also continue its activities without using the cookies. As a result, the DPA did not find that the company’s use of cookies made it necessary to appoint a DPO.

Question: Does the GDPR require documenting the decision on whether or not to appoint a DPO?

Answer: No. The DPA has indicated that although documenting one’s reasons for not appointing a DPO is recommended, it is not mandatory under the GDPR.

Question: Are purely advisory leadership roles compatible with the DPO role?

Answer: Probably not. The Belgian DPA has issued strong signals—and fines—to clarify that the role of a DPO is incompatible with leadership positions within an organization, even if the positions are advisory and not executive. In a 2020 decision, the DPA deemed the role of a DPO incompatible, due to conflicts of interest, when held by a person who also heads the organization’s compliance, risk management, and internal audit units (the DPA issued a EUR 50,000 fine as a result, see our alert). In a more recent decision, the DPA reached a similar conclusion. The DPA found that the DPO role was incompatible with heading two risk management units and an investigation unit. The main reason was that these other roles involved decision-making powers for processing purposes and means, and prevented the DPO from independently exerting control over these units. Also, as it did in the 2020 decision, the DPA raised concerns about the DPO’s ability to honor its secrecy and confidentiality requirements (e.g., because what a DPO learns from employees may need to be reported under the organization’s risk management duties). The DPA found that the combination of these different roles within the organization caused conflicts of interest for the DPO (in breach of GDPR Art. 38.6), and it issued a EUR 75,000 fine.

Visit our A MoFo Privacy Minute Series page to view our collection of Q&As. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers on Cybersecurity, State Privacy Laws, and the GDPR + European Privacy.