Belgium: Belgian DPA issues €50,000 fine to organisation for DPO appointment violation
The Belgian Data Protection Authority ('DPA') issued, on 28 April 2020, its decision ('the Decision') whereby it fined an organisation €50,000 for non-compliance with the obligation to cooperate under Article 31 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and for the appointment of the director of a department as the data protection officer ('DPO'), in violation of Article 38(6) of the GDPR. In particular, the Decision outlines that the appointed DPO worked as director of the internal audit, risk management, and compliance departments, which the organisation argued are all advisory in nature. Nevertheless, the Decision highlights that the DPO was insufficiently involved in the discussions of personal data breaches and that the organisation did not have a policy to prevent any conflicts of interest. Therefore, the Decision finds that the function of the DPO cannot be conducted in an independent manner and resulted in conflicts of interest.