According to Article 38 of the General Data Protection Regulation, the Data Protection Officer may also perform other tasks and duties, but the organization must ensure that they do not result in conflicts of interest. As a general guideline, the Data Protection Officer cannot be in a position in the organization that leads he or she to determine the purposes and means of the processing of personal data. In addition to senior management positions (e.g. CFO, head of IT, marketing or HR), positions at lower levels of the organizational structure may also give rise to conflicts of interest if these positions require the determination of the purposes and means of data processing.
By decision of 16 December 2021, the Belgian Data Protection Authority imposed an administrative fine of EUR 75 000 on a bank in Belgium. The bank had failed in its obligation to comply with Article 38 of the General Data Protection Regulation regarding the avoidance of conflicts of interest.
In this case, the Data Protection Officer was the head of the bank's department, leading, among other things, the bank's risk management. However, these positions should not have been combined due to a conflict of interests. It was not considered possible for the head of department to perform his duties without at the same time defining the purpose and means of the activities related to the processing of personal data. It was irrelevant that the advisory and supervisory activities carried out by the department were secondary to the main activities of the bank.
The decision also stressed that the role of the Data Protection Officer is not new in EU data protection legislation and that an organization such as a bank can be expected to have prepared carefully for the General Data Protection Regulation. The duration of the breach and the amount of personal data of the data subjects have also been given weight in the case. It is also noteworthy that the Belgian Data Protection Authority originally examined a different issue, namely the right of data subjects to effectively exercise their rights under the General Data Protection Regulation.
The case further clarified the interpretation of the conflict of interest mentioned in Article 38 of the General Data Protection Regulation. Organizations must ensure that their Data Protection Officers are in fact separate from any role in which he or she may determine the purposes and means of the processing of personal data. Even if the tasks performed by the Data Protection Officer in other roles are secondary to the main activities of the organization and are in fact mainly supervisory, a conflict of interest may nevertheless arise.