Belgium: DPO conflict of interest
The Belgian Data Protection Authority's ('Belgian DPA') recent investigations offer some broader takeaways on the role of the data protection officer ('DPO') and how to deal with conflict of interest requirements under Article 38(6) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Diletta De Cicco and Charles Helleputte, Associate and Partner respectively in the cybersecurity and data privacy group of Mayer Brown, highlight the practical implications of the Belgian DPA's investigations for the role and functions of the DPO and the need for companies to be prepared to be scrutinised for all aspects of privacy compliance.
Breach notification - an opportunity for DPO investigation
As highlighted by the Belgian DPA, inspection of compliance considerations such as the requirement for DPO independence may arise through audits of other related GDPR compliance aspects, such as following a data breach notification. In particular, the Belgian DPA highlighted that, when investigating reported data breaches, it will consider whether the DPO is:
- actually involved in the discussions around the personal data breach (including the assessment of the severity of the breach); and
- able to perform his or her DPO duties independently of the DPO's other, more 'operational' functions.
The involvement of the DPO
The Belgian DPA emphasised the importance of complying with the obligation to involve the DPO 'properly and in a timely manner' in all the data protection issues, as outlined in Article 38(1) of the GDPR. The Belgian DPA underlined, by making reference to the Article 29 Working Party Guidelines on DPOs ('the WP29 Guidelines'), that the essence of a DPO's function is that the DPO be consulted, as early as possible, on establishing compliance with the GDPR. The Belgian DPA also points out that 'informing' is not 'consulting' and that limiting the involvement of the DPO to merely receiving ex post information goes against the ratio legis of the GDPR; it also undermines the crucial role the GDPR recognises the DPO as having. Furthermore, involving the DPO in data protection matters should be a standard procedure and part of a company's processes. This doesn't mean, however, that the DPO must have a final say on matters (such as the outcome of a risk assessment following a personal data breach) but that the DPO's opinion should be appropriately taken into account. The DPO is a privacy guard within an organisation rather than the commander leading the army.
The DPO's conflict of interest
Nothing precludes a DPO from having other tasks within an organisation; however, the GDPR requires that the DPO must not have tasks and duties resulting in a conflict of interest. It is a responsibility of the data controller/processor to ensure that the DPO can effectively perform his or her tasks.
The Belgian DPA has also considered the following elements in its examination of the DPO's role.
Need for independence of function
The WP29 Guidelines stated that a DPO cannot act independently if he or she holds a position within the organisation where the DPO 'determine[s] the purposes and means of the processing of personal data.' Typical examples would be senior management roles, e.g. the Chief Executive Officer or the Chief Information Officer. The same holds true for other roles; hence a case-by-case-analysis is necessary.
The Belgian DPA has emphasised that, even where a DPO holds a senior position in a department that is purely advisory, it may nonetheless exercise decision-making powers. In any case, the Belgian DPA highlighted that, if a DPO occupies a position within a company whereby they have important operational responsibility for data processing activities under, for instance, the fields of audit and risk, there will be a violation of the principle laid down by the WP29 Guidelines.
Confidentiality and secrecy obligations
The Belgian DPA has also made it clear that the concentration of the various roles by one physical person could undermine the secrecy or confidentiality obligation with employees that the Article 38(5) of the GDPR assigns to the DPO.
Need for internal policy
Finally, the Belgian DPA highlights that a policy or internal rules that aims to prevent conflicts of interest is a key measure towards ensuring compliance with Article 38 of the GDPR.
The existence of a conflict of interest, coupled with the absence of such a policy, in an organisation where processing of personal data on a large scale is a core activity, is, according to the Belgian DPA, a significantly negligent misstep.
Food for thought
Many were the companies that, after the entry into force of the GDPR, appointed an internal DPO for whom this role became an additional one. The Belgian DPA's recent guidance, building on the WP29 Guidelines, reinforces the idea that there is a limit to an organisation's discretion in the appointment of an internal DPO who holds another senior management position. The Belgian DPA and the WP29 Guidelines call not for the DPO role to necessarily be a full-time job but for careful attention to be paid to the duties of the role, the hierarchical level of the appointed individual, and evidence of an adequate assessment and actual practice of procedures to address and mitigate conflict of interest.
With the recent two-year anniversary of the GDPR's entry into force in mind, the Belgian DPA's recent investigations are a wake-up call for companies to (re)consider some of the related initial choices made. This would be sound and prudent not only to comply with day-to-day privacy requirements but also to be ready for an audit; questions on the role and functions of the DPO might arise even when an organisation is being audited for another privacy matter.