In December of 2021, the Belgian Data Protection Authority (GBA in Flemish) imposed a fine of 75,000 Euros to be paid by ING Belgium for employing a DPO who lacked a position of independence. The decision came in the wake of a complaint submitted by one of the bank’s clients claiming to have suffered an infringement on his right to rectification, which implies that data subjects are entitled to correction, completion or restriction of their personal data as held by an organisation. Implementing the requested changes proved difficult for the bank, because it used an obsolete client data system, dating back to 1995, which did not allow for easy performance of minor edits, like the insertion of diacritical characters in a client’s name.
Following up on this complaint, the Belgian GBA started an investigation as to the overall privacy performance of ING Bank, with specific attention to the position of its DPO. For one thing, the GDPR, in Article 38(3) and (6), clearly states that within the organisation, a DPO has to be able to monitor privacy law compliance from a position of independence. This is exactly what the GBA set out to verify in the process leading up to the aforementioned fine. To ensure this independent position, the Article specifies that the DPO must report directly to the highest management level of the organisation and that other tasks and duties fulfilled by the DPO, where applicable, must not result in a conflict of interests.
In this blog, we will take a closer look at the GBA’s penalty ruling by examining these two defining aspects of the DPO’s role within an organisation in order to answer the following key question: When and under which circumstances, based on Article 38(3) and (6) GDPR, can the required independent position of the DPO be said to be compromised?
Article 38(3) GDPR specifies that the DPO must report directly to the highest level of management, the reasoning behind this requirement being that in order to ensure the DPO’s independent position, he or she must not be subject to instructions from superiors with regard to the performance of his or her duties, and that the DPO cannot be sanctioned or penalised by employees with a position of higher rank in the organisation’s hierarchy.
In the case of ING Bank, the DPO reported to the executive committee – the bank’s highest authority – by way of the Chief Risk Officer (CRO). Here, the GBA ruled that reporting through a natural person, in this case the CRO, did not present a problem, since the CRO is in fact a member of the executive committee and in that capacity serves as a legitimate point of access to said body of management. It is sufficient for the DPO to report to the institution representing the highest level of management, he or she does not necessarily have to report to the highest individual representative of executive power, which would be the CEO. Reporting to a member of the committee, in this case the CRO, qualifies as directly reporting to the highest management level.
What’s more, the DPO is a permanent member of ING Bank’s Data Council, a subcommission and extension of the executive committee, with decisions by the former being binding for the latter. This strengthens the legitimacy of qualifying the hierarchic structure as supporting a form of direct reporting to the highest management level.
Based on the above, the GBA then concludes that there is no ground to suggest a violation of Article 38(3) of the GDPR.
Conflict of interests
The GBA now proceeds to assess the – possible – presence of conflicts of interests in the sense of Article 38(6) GDPR. In principle, there is nothing wrong with a DPO fulfilling additional tasks and duties, as long as this does not lead to a conflict of interests.
In this case, the DPO had multiple roles within the organisation, acting as head of the departments of Operational Risk Management (ORM), Information Risk Management (IRM) and Special Investigation Unit (SIU).
The WP29 Guidelines on Data Protection Officers include definitions of the circumstances introducing the potential for conflicts of interests. Where a DPO, for instance, fulfils an additional function in which he or she has to determine the purposes and means of personal data processing, this presents a clear case of conflict of interests.
Part of the defence offered by ING Bank was that the DPO, in his function of department head, acted only in a supervisory and monitoring capacity. The register of processing operations however, showed that the various departments headed by the DPO were in fact in a position to actually determine purposes and means of the processing of personal data. So, the GBA stated that the function of ORM, IRM and SIU department head includes the responsibility to determine means and purposes of the personal data processing operations carried out in those three departments. This led to the GBA’s conclusion that the combination of DPO duties and professional tasks in a capacity of triple department head is impossible to perform without the inevitable occurrence of conflicts of interests. This, in turn, led to a final ruling by the Chamber of Litigation that the case did indeed constitute a violation of Article 38(6) of the GDPR.
The answer to the question of whether the DPO in this scenario did or did not directly report to the highest level of management strongly depends on how relations and dependencies are set up. The way responsibilities are structured at ING Bank, direct reporting is more or less intrinsically ensured by organisational design.
What this case also shows is that organisations should carefully consider the desirability of having a DPO fulfil multiple roles. The important thing is ‘top down’ embedded awareness of the necessity of the DPO’s independent position. In the case of ING Bank, the DPO had three other, additional roles. Based on this fact, and given the high likelihood of some form of personal data processing being performed in any of the related business units, the Belgian Data Protection Authority ruled out the possibility of independent supervision of the processing of personal data carried out in the departments managed by the DPO.