July 13, 2020

Volume X, Number 195

July 13, 2020

Subscribe to Latest Legal News and Analysis

July 10, 2020

Subscribe to Latest Legal News and Analysis

Belgian DPA Sanctions Company for Non-Compliance with the GDPR’s DPO Requirements

On April 28, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €50,000 fine on a company for non-compliance with the requirements under the General Data Protection Regulation (“GDPR”) related to the appointment of a data protection officer (“DPO”).

Following the notification of a data breach, the Belgian DPA started an investigation into the notifying company’s data protection practices and privacy program. The investigation focused on three alleged infringements of the GDPR, in particular, (1) the duty to cooperate with the DPA, (2) the accountability obligations (including with respect to data breach notification-related risk assessments), and (3) the requirements related to the position of the company’s DPO.

In its decision, the Litigation Chamber of the Belgian DPA only upheld the alleged infringement of the GDPR’s DPO requirements (in particular Article 38(6) of the GDPR), arguing that by appointing the Head of the Compliance, Risk Management and Audit department as DPO, the company had failed to comply with its obligation to ensure that its DPO is free from any conflict of interest. In particular, the Belgian DPA’s Litigation Chamber indicated in its decision that:

  • If the DPO, as Head of the Internal Audit department, has decision-making power with respect to the dismissal of employees, this is not compatible with the DPO’s role as a confidential advisor for data protection-related matters.

  • The fact that the departments for which the person acting as the company’s DPO heads (i.e., the Compliance, Risk Management and Audit department) fulfill an independent and advisory role in relation to the other business departments and, as such, do not have decision-making powers with respect to the company’s data processing activities does not necessarily mean that the individual’s tasks as Head of these departments are compatible with his tasks as the company’s DPO.

  • In their capacity as head of the Compliance, Risk Management and Audit departments, the person appointed as the company’s DPO determines the purposes and means of the processing of personal data taking place in the context of these departments and, therefore, is responsible for these data processing activities.

In light of this, the Litigation Chamber of the Belgian DPA concludes that combining the role of department Head with the role of DPO gives rise to a significant conflict of interest. In the case at hand, the Belgian DPA maintains that due to the combination of roles, there is a complete lack of independent DPO oversight concerning the data processing activities taking place in the context of the Compliance, Risk Management and Audit departments. In addition, the Belgian DPA indicates that, due to his dual role, the DPO may not be able to provide sufficient guarantees to the concerned employees in terms of confidentiality and secrecy.

In light of the above, the Litigation Chamber has ordered the company to take measures to resolve the issue within a period of three months. Furthermore, the Litigation Chamber has decided to impose an administrative fine of €50,000. According to the Belgian DPA, such a fine is appropriate as the infringements result from serious negligence of the company, and considering that:

  • The concept of a DPO is not a new concept and has existed in various Member States and organizations for many years;

  • The company should have been prepared for the introduction of the DPO role by the GDPR, in particular, given that its core business activity involves processing of personal data on a very large scale, including data of a sensitive nature. As a result, the infringement could have an impact on millions of individuals; and

  • The duration of the infringement, which started in May 2018 (when the GDPR became applicable) and lasted until February 2020.

The decision may still be appealed at the Market Court. Read the Belgian DPA’s decision (in Dutch).

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 127

TRENDING LEGAL ANALYSIS


About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct