In a rather shocking decision, the Belgian Data Protection Authority (DPA) has fined a company for having appointed its head of compliance, audit and risk as Data Protection Officer (DPO). According to the DPA, this combination of roles creates a conflict of interest and therefore constitutes an infringement of article 38.6 GDPR.
For many organisations, the appointment of the DPO has been one of the more complicated requirements to deal with under the GDPR. The detailed description of the workload, the high requirements in terms of expertise, but also the expectations of the Article 29 Working Party guidelines in terms of availability and language skills put the bar very high. Add the fact that this function did not exist in most EU Member States and/or organisations, creating a huge demand for the limited number of people that met the legal requirements, and it is clear that many organisations have had huge issues finding the right person for the job.
It is therefore no wonder that many organisations decided to appoint the DPO from within the organisation. After all, article 38.6 GDPR expressly allows organisations to appoint a DPO who fulfils "other tasks and duties" as long as it does not result in a conflict of interest.
The Article 29 Working Party elaborated further on this principle in its Guidelines on Data Protection Officers: A conflict of interest will exist in situations where a DPO holds a position within the organisation that leads him or her "to determine the purposes and the means of the processing of personal data". Although the Article 29 Working Party acknowledged that this assessment is done on a case-by-case basis, as a rule of thumb, it identified senior management positions such as CEO, COO, Head of Marketing, Head of HR or Head of IT as conflicting positions.
As a result of these guidelines, hundreds if not thousands of organisations who did not require a full-time DPO opted to appoint their head of compliance or head of legal as DPO.
This seemed logical. People in these positions could easily become "experts in data protection law" (art. 37.5 GDPR), if they were not already. They typically have a lot of affinity with legal compliance and how it is implemented in practice. Furthermore, in their role as head of legal/compliance, they are not involved in the decision-making for key data processing activities (such as HR data, customer data, patient data, etc.).
Based on the latest decision of the Belgian DPA, all these organisations run the risk of fines, having demonstrated a "high degree of negligence" in appointing their head of compliance/legal as DPO.
►Blijf op de hoogte over de juridische actualiteit. Schrijf in op onze gratis nieuwsbrief.