With the introduction of the General Data Protection Regulation (GDPR) designation of a data protection officer (DPO) has become mandatory for controllers and processors alike – under a number of specific conditions. Within his or her organisation, this DPO oversees application of and compliance with the GDPR. In Belgium, on April 28 2020, the national supervisory authority, “Gegevensbeschermingsautoriteit” (GBA), imposed a fine because of an apparent conflict of interest with regard to the function of a DPO. So far, the Dutch supervisory authority has not imposed any sanctions for improper execution of the function of DPO, but nevertheless, the ruling in the Belgian case does have full relevance for organisations and institutions in other countries where the GDPR applies.
Article 38 of the GDPR
The Belgian case centred on Article 38 of the GDPR, describing the DPO’s position and, in its first paragraph, stipulating the need to ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. What exactly is to be considered ‘proper’ and ‘timely’ involvement, the GDPR fails to define, but in guidelines issued by the European Data Protection Board (the Board) the crucial importance is mentioned of involving the DPO ‘from the earliest stage possible’.
Furthermore, Article 38 of the GDPR outlines, in its sixth paragraph, that although the data protection officer may fulfil other tasks and duties, it must be ensured that any such tasks and duties do not result in a conflict of interests. According to the Board, what this specifically means is that the DPO cannot hold a position within the organisation requiring him or her to determine purposes and means of personal data processing. Of additional relevance in this context is the fact that, based on paragraph 5 of Article 38, the DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks.
The actual cause for the investigation conducted by the Gegevensbeschermingsautoriteit was a data breach resulting from Belgium’s leading telecommunications company, Proximus, having sent emails to the wrong addresses. In its report on the matter, the GBA’s Inspection Service mentioned issues concerning a DPO being insufficiently involved in discussions of data breaches related to personal data and instead being merely informed of decisions after the fact. In the end, the GBA’s Litigation Chamber did not establish a violation of Article 38, paragraph 1 of the GDPR, emphasising, however, that full GDPR compliance can only be achieved by immediately informing, involving and, even more importantly, consulting the DPO.
The GBA’s Litigation Chamber did rule that a violation had occurred, and was proven to have occurred, of Article 38, paragraph 6 of the GDPR, as it was found that the DPO in question had also held a position of director of the audit, risk and compliance departments, which, according to the Litigation Chamber, clearly qualifies as a position in which the person fulfilling these role(s) determines purposes and means of personal data processing within these departments and, as a result, is responsible for the data processing processes. Thus, the Litigation Chamber reached the following conclusion: ‘by cumulating, on the part of one and the same physical person, the function of responsibility for each of the three individual departments involved on the one hand, and the function of data protection officer on the other hand, any foundation for independent supervision of these departments by the data protection officer has been removed. Also, the cumulation of these functions may lead to the requirements, as laid down in Article 38(5) of the GDPR, of secrecy and confidentiality being insufficiently safeguarded.’ The fact that the function under scrutiny was of an advisory nature only and did not include power of decision on processing operations, did nothing to change any of the above.
For the violation found to have occurred, the GBA imposed a fine of 50,000 Euros, the highest amount fined in Belgium since the introduction of the GDPR. In justification of the severity of the sanction, the GBA emphasised that there can be no doubt as to the impossibility of maintaining a position of independence while cumulating the functions involved, mentioning as an additional consideration that the concept of DPO is by no means new and already has quite a bit of history in many member states and more than a few organisations. Therefore, it is far from unreasonable to expect a large organisation like Proximus to have adequately prepared for the coming into force of the GDPR and, where such preparation is now found to have been absent or lacking, it is still worth pointing out that the violation has been in effect ever since the GDPR was originally introduced on May 25 2018. Lastly, the penalty amount is based on the fact that Proximus is responsible for very large-scale processing of personal data, including data which, based on the traffic and location oriented nature of telecom information, are perceived as decidedly sensitive by the data subjects. Moreover, with a customer base as large as the one served by Proximus, the negative effects of a data protection officer not meeting the requirement of independence and, as such, being unable to act in freedom and without having to juggle multiple, possibly opposing interests, can literally impact millions of people.