• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Belgian Data Protection Authority Fines Bank for DPO’s Conflicting Roles

January 31, 2022 By Yung Shin Van Der Sype and Wim Nauwelaerts

In a decision of December 16, 2021, the Belgian Data Protection Authority (“DPA”) imposed a EUR 75,000 administrative fine on a bank located in Belgium for failure to comply with the requirement in Article 38.6 of the General Data Protection Regulation (“GDPR”) that the tasks and duties of the Data Protection Officer (“DPO”) must not result in a conflict of interest.

The DPA opened an investigation into the bank’s compliance with the GDPR, which was initially centered on the question whether or not the bank’s information systems allowed data subjects to effectively exercise their GDPR rights, in particular the right to rectification.  However, in the course of the investigation the DPA also decided to focus on the position of the bank’s DPO.

The GDPR imposes a number of obligations on data controllers aimed at ensuring that their DPO is in a position to act independently, without being constrained by other roles, tasks or duties.  Article 38.3 GDPR, for instance, requires controllers to ensure that the DPO does not receive any instructions regarding the exercise of his/her tasks.  The DPO cannot be dismissed or penalized by the controller for performing his/her tasks and must be able to report directly to the controller’s highest management.  Article 38.6 GDPR allows the DPO to fulfil other tasks and duties, but the controller needs to ensure that any such tasks and duties do not result in a conflict of interests.

In the case of the bank, the DPA found that there was an issue with the different roles that the DPO was assuming, resulting in a conflict of interest.

In addition to being the bank’s DPO, the individual in question was also leading the bank’s Operational Risk Management department, the Information Risk Management department, as well as the bank’s Special Investigation Unit.  During the investigation, the DPA raised concerns that the combination of these roles would result in a conflict of interest, as the position of department head implies certain responsibilities and duties that are incompatible with the DPO function.

In its defense, the bank emphasized that the concerned departments are charged with carrying out second-line functions, meaning functions that are not part of the bank’s primary activities (i.e., banking-related activities), and that, therefore, these departments do not themselves engage in separate data processing operations.  Their duties are only to supervise, set up frameworks and carry out controls.  Consequently, the head of these departments has no decision-making power as regards the purposes and means of the bank’s data processing activities, but is merely acting in an advisory and supervisory role.

The DPA, however, did not follow the bank’s reasoning.  The DPA first establishes that the second-line services carried out by the three concerned departments of the bank cannot be performed without determining the purposes and means of specific activities that involve processing of personal data.  This means that the head of the departments of the second-line services is responsible for determining the purposes and means of the processing activities in the context of its own second-line services.  This is also reflected in the bank’s record of processing activities, which lists a substantial number of categories of personal data that are processed by the three departments.  Moreover, the DPA found that the advisory and supervisory functions that the bank refers to inevitably require the processing of data from the bank’s first-line services, i.e. the bank’s core activities.  Therefore, the head of the three departments also determines the purposes and means of data processing activities relating to the bank’s first-line services.

This leads the DPA to conclude that the combination of the position of DPO with the position of head of three departments is not manageable without a conflict of interest on the part of the DPO.  Therefore, the DPA finds that there is a breach of Article 38.6 GDPR.

In light of this violation of Article 38.6 GDPR, the DPA instructs the bank to ensure that the processing complies with Article 38.6 GDPR, and that the DPO’s tasks or duties no longer result in a conflict of interest.  In addition to this corrective measure, the DPA imposes an administrative fine of EUR 75.000, as a sign of “vigorous enforcement” of the GDPR.

In its decision, the DPA carefully sets out its considerations leading to the different sanctions imposed on the bank.

The DPA points out that, although not a deliberate, the violation follows from serious negligence on the part of the bank.  The DPO function is not new in EU data protection law, and the Article 29 Working Party (now the EDPB) has published DPO-related guidance as early as 2016.  In addition, the DPA takes the position that an organization such as the bank can be expected to have prepared carefully for the GDPR (which became applicable in May 2018) since the processing of personal data is essential for the bank’s core activities.  Furthermore, the DPA takes into account the duration of the violation, which started at the time when the GDPR entered into force and lasted for more than three years.  Finally, the DPA also considers the number of data subjects involved.  According to the DPA, the bank processes personal data of a large number of data subjects.  The lack of effective safeguards for the protection of personal data, specifically through the appointment of a DPO who does not meet the GDPR requirements of independence, can impact a vast number of data subjects.

Against this background, the DPA also takes into account a number of mitigating circumstances, including the absence of harm to the individuals concerned (although it was not proven that no harm was caused either), the absence of previous violations, and the bank’s good faith cooperation with the DPA’s investigation.  The bank also argued that the measures it had taken to detect and prevent potential future conflicts of interest in a timely manner, should be considered as a mitigating circumstance.  The DPA does not withhold this   argument because, in its opinion, these policies and mechanisms to avoid conflicts of interest had not been implemented in due time.

The DPA finally concludes that the totality of these elements justifies an effective, proportionate and dissuasive sanction provided for in Article 83 GDPR, resulting in the administrative fine of EUR 75,000.

This case illustrates that when supervisory authorities launch an investigation into a specific concerns or complaint, they will not shy away from investigating and – if needed – taking enforcement action against other non-compliance issues.  While the bank’s practices were initially investigated in the context of a data subject request, the DPA broadened the scope of the investigation to assess the bank’s GDPR compliance in general, and ultimately impose a fine for failure to comply with applicable DPO requirements.  It further shows that any organization’s GDPR compliance program is only as strong as its weakest GDPR-link.  It is hard to predict when a supervisory authority will take a closer look into an organization’s overall compliance with the GDPR, but when it happens, solid compliance is the only way out.

—

Belgian DPA, Litigation Chamber, Decision 141/2001 (available in Dutch): https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-141-2021.pdf.

Filed Under: Data Protection, Enforcement, International, Privacy

About Yung Shin Van Der Sype

Yung Shin is an associate with Alston & Bird’s Technology & Privacy Group and Privacy, Cyber & Data Strategy Team. She focuses her practice on IT law and HR-related matters, including privacy and data protection, IT contracts, and corporate security.

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy, Cyber & Data Strategy Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.