In a decision of December 16, 2021, the Belgian Data Protection Authority (“DPA”) imposed a EUR 75,000 administrative fine on a bank located in Belgium for failure to comply with the requirement in Article 38.6 of the General Data Protection Regulation (“GDPR”) that the tasks and duties of the Data Protection Officer (“DPO”) must not result in a conflict of interest.
The DPA opened an investigation into the bank’s compliance with the GDPR, which was initially centered on the question whether or not the bank’s information systems allowed data subjects to effectively exercise their GDPR rights, in particular the right to rectification. However, in the course of the investigation the DPA also decided to focus on the position of the bank’s DPO.
The GDPR imposes a number of obligations on data controllers aimed at ensuring that their DPO is in a position to act independently, without being constrained by other roles, tasks or duties. Article 38.3 GDPR, for instance, requires controllers to ensure that the DPO does not receive any instructions regarding the exercise of his/her tasks. The DPO cannot be dismissed or penalized by the controller for performing his/her tasks and must be able to report directly to the controller’s highest management. Article 38.6 GDPR allows the DPO to fulfil other tasks and duties, but the controller needs to ensure that any such tasks and duties do not result in a conflict of interests.
In the case of the bank, the DPA found that there was an issue with the different roles that the DPO was assuming, resulting in a conflict of interest.
In addition to being the bank’s DPO, the individual in question was also leading the bank’s Operational Risk Management department, the Information Risk Management department, as well as the bank’s Special Investigation Unit. During the investigation, the DPA raised concerns that the combination of these roles would result in a conflict of interest, as the position of department head implies certain responsibilities and duties that are incompatible with the DPO function.
In its defense, the bank emphasized that the concerned departments are charged with carrying out second-line functions, meaning functions that are not part of the bank’s primary activities (i.e., banking-related activities), and that, therefore, these departments do not themselves engage in separate data processing operations. Their duties are only to supervise, set up frameworks and carry out controls. Consequently, the head of these departments has no decision-making power as regards the purposes and means of the bank’s data processing activities, but is merely acting in an advisory and supervisory role.
The DPA, however, did not follow the bank’s reasoning. The DPA first establishes that the second-line services carried out by the three concerned departments of the bank cannot be performed without determining the purposes and means of specific activities that involve processing of personal data. This means that the head of the departments of the second-line services is responsible for determining the purposes and means of the processing activities in the context of its own second-line services. This is also reflected in the bank’s record of processing activities, which lists a substantial number of categories of personal data that are processed by the three departments. Moreover, the DPA found that the advisory and supervisory functions that the bank refers to inevitably require the processing of data from the bank’s first-line services, i.e. the bank’s core activities. Therefore, the head of the three departments also determines the purposes and means of data processing activities relating to the bank’s first-line services.
This leads the DPA to conclude that the combination of the position of DPO with the position of head of three departments is not manageable without a conflict of interest on the part of the DPO. Therefore, the DPA finds that there is a breach of Article 38.6 GDPR.
In light of this violation of Article 38.6 GDPR, the DPA instructs the bank to ensure that the processing complies with Article 38.6 GDPR, and that the DPO’s tasks or duties no longer result in a conflict of interest. In addition to this corrective measure, the DPA imposes an administrative fine of EUR 75.000, as a sign of “vigorous enforcement” of the GDPR.
In its decision, the DPA carefully sets out its considerations leading to the different sanctions imposed on the bank.
The DPA points out that, although not a deliberate, the violation follows from serious negligence on the part of the bank. The DPO function is not new in EU data protection law, and the Article 29 Working Party (now the EDPB) has published DPO-related guidance as early as 2016. In addition, the DPA takes the position that an organization such as the bank can be expected to have prepared carefully for the GDPR (which became applicable in May 2018) since the processing of personal data is essential for the bank’s core activities. Furthermore, the DPA takes into account the duration of the violation, which started at the time when the GDPR entered into force and lasted for more than three years. Finally, the DPA also considers the number of data subjects involved. According to the DPA, the bank processes personal data of a large number of data subjects. The lack of effective safeguards for the protection of personal data, specifically through the appointment of a DPO who does not meet the GDPR requirements of independence, can impact a vast number of data subjects.
Against this background, the DPA also takes into account a number of mitigating circumstances, including the absence of harm to the individuals concerned (although it was not proven that no harm was caused either), the absence of previous violations, and the bank’s good faith cooperation with the DPA’s investigation. The bank also argued that the measures it had taken to detect and prevent potential future conflicts of interest in a timely manner, should be considered as a mitigating circumstance. The DPA does not withhold this argument because, in its opinion, these policies and mechanisms to avoid conflicts of interest had not been implemented in due time.
The DPA finally concludes that the totality of these elements justifies an effective, proportionate and dissuasive sanction provided for in Article 83 GDPR, resulting in the administrative fine of EUR 75,000.
This case illustrates that when supervisory authorities launch an investigation into a specific concerns or complaint, they will not shy away from investigating and – if needed – taking enforcement action against other non-compliance issues. While the bank’s practices were initially investigated in the context of a data subject request, the DPA broadened the scope of the investigation to assess the bank’s GDPR compliance in general, and ultimately impose a fine for failure to comply with applicable DPO requirements. It further shows that any organization’s GDPR compliance program is only as strong as its weakest GDPR-link. It is hard to predict when a supervisory authority will take a closer look into an organization’s overall compliance with the GDPR, but when it happens, solid compliance is the only way out.
Belgian DPA, Litigation Chamber, Decision 141/2001 (available in Dutch): https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-141-2021.pdf.