An EU Data Protection Authority – equivalent to the ICO – (‘the Regulator’) has fined a company €50,000 (£43,600) for appointing as its Data Protection Officer (DPO) someone who had another role in the company which created a conflict of interest and which therefore was in breach of the GDPR.
What does the GDPR say about DPOs and conflicts of interest?
The GDPR allows organisations to appoint an employee who has “other tasks and duties” as DPO, as long as that does not result in a conflict of interest. It is well-established that a conflict of interest will exist in many situations where a DPO holds certain internal positions and, until now, this had been understood to mean those in senior management positions such as CEOs, CTOs, COOs and Heads of Marketing, HR and IT.
However, in this case, the DPO had another role, but the Regulator was of the opinion that there was a complete lack of independent DPO oversight concerning the data processing activities taking place at the company. The Regulator was also concerned that that, due to his dual role, the DPO might not be able to provide sufficient guarantees to employees in terms of confidentiality and secrecy.
How did the Regulator find out?
Following a data breach, the Regulator started an investigation into the company’s data protection practices and privacy program. This led to it emerging that the DPO had another role in the company.
Why was the fine €50,000?
According to the Regulator, the infringements of the GDPR amounted serious negligence by the company and that:
- The concept of a DPO is not new;
- The company should have known what the GDPR says about DPOs and conflicts of interest; and
- The length of time of the infringement – it started in May 2018 (the DPO was appointed when the GDPR came into effect) and continued until now.
What does it mean for organisations with employee DPOs?
This ruling means that the category of conflicting positions had now been enlarged – to such an extent that arguably it makes it almost impossible to combine the role of DPO with any internal function within an organisation.
Although this case was not in the UK the decision sets a legal precedent that is applicable in the UK.
For many organisations having a DPO who combines that role with other functions may be a challenge that is impossible to overcome, other than by appointing an external DPO.
Update – 19/05/2020
That company is Proximus and it has decided not to appeal the decision.
In addition, the APD (Belgian equivalent of ICO) had warned in its strategic plan that the topic of the appointment of data protection officers would be particularly investigated and that re this instance they have stated:
“We have come to the conclusion that Proximus’s DPO has a role in decision-making around data issues. The DPO is supposed to serve as a guide in these procedures. He cannot therefore be the adviser and the one who makes the decision…”.APD (Belgian equivalent of the ICO)
As is being reported this decision will have consequences because (as we already knew), it indicates that a manager or head of department cannot at the same time have the function of DPO. As the Group DPO for Ferrero has said “A very uncomfortable precedent for the several companies that have chosen the same approach”.
Proximus still has one month to appeal.