Avoid conflicting interests of data protection officer - recent case law advises caution
If the appointment of a Data Protection Officer is topical in your organization or you already have one appointed, please pay attention to avoiding potential conflicts of interest. The Data Protection Officer acting as the company's internal expert must be independent. It must be ensured on a case-by-case basis that the person selected does not have any conflicts of interest with the duties of the Data Protection Officer. In December 2021, the Belgian Data Protection Authority imposed administrative fine on a Belgian bank for failing to ensure this. The case encourages organizations to be vigilant with any other possible roles of their Data Protection Officers.
What is a Data Protection Officer?
The Data Protection Officer is responsible for supervising the processing of personal data within the organization and assisting in complying with data protection rules. It is essential that the person selected has the expertise and sufficient resources and capacity to carry out the task, regardless of whether he or she is a member of the organization's own staff or whether he or she performs the duties on the basis of a service contract.
The Data Protection Officer highlights any shortcomings he or she has identified in the organization and reports directly to the company's senior management. Advising and supervising the conduct of data protection impact assessments is also the responsibility of the Data Protection Officer. In addition, the Data Protection Officer acts as a contact person for data subjects in the organization in matters related to the processing of personal data, while also cooperating with the Office of the Data Protection Ombudsman.
When should the Data Protection Officer be appointed?
According to the General Data Protection Regulation, the Data Protection Officer must be appointed if the organization:
processes large amounts of sensitive data; or
monitors individuals regularly and on a large scale; or
is a public authority (with the exception of courts).
Even if an organization is not obliged to appoint a Data Protection Officer under the General Data Protection Regulation or specific legislation, the appointment can be made voluntarily. In this case, the requirements of the General Data Protection Regulation apply in the same way as in a situation where the appointment is mandatory. In any case, the contact details of the Data Protection Officer must be notified to the Office of the Data Protection Ombudsman.
Risk of conflicts of interest
According to Article 38 of the General Data Protection Regulation, the Data Protection Officer may also perform other tasks and duties, but the organization must ensure that they do not result in conflicts of interest. As a general guideline, the Data Protection Officer cannot be in a position in the organization that leads he or she to determine the purposes and means of the processing of personal data. In addition to senior management positions (e.g. CFO, head of IT, marketing or HR), positions at lower levels of the organizational structure may also give rise to conflicts of interest if these positions require the determination of the purposes and means of data processing.
By decision of 16 December 2021, the Belgian Data Protection Authority imposed an administrative fine of EUR 75 000 on a bank in Belgium. The bank had failed in its obligation to comply with Article 38 of the General Data Protection Regulation regarding the avoidance of conflicts of interest.
In this case, the Data Protection Officer was the head of the bank's department, leading, among other things, the bank's risk management. However, these positions should not have been combined due to a conflict of interests. It was not considered possible for the head of department to perform his duties without at the same time defining the purpose and means of the activities related to the processing of personal data. It was irrelevant that the advisory and supervisory activities carried out by the department were secondary to the main activities of the bank.
The decision also stressed that the role of the Data Protection Officer is not new in EU data protection legislation and that an organization such as a bank can be expected to have prepared carefully for the General Data Protection Regulation. The duration of the breach and the amount of personal data of the data subjects have also been given weight in the case. It is also noteworthy that the Belgian Data Protection Authority originally examined a different issue, namely the right of data subjects to effectively exercise their rights under the General Data Protection Regulation.
The case further clarified the interpretation of the conflict of interest mentioned in Article 38 of the General Data Protection Regulation. Organizations must ensure that their Data Protection Officers are in fact separate from any role in which he or she may determine the purposes and means of the processing of personal data. Even if the tasks performed by the Data Protection Officer in other roles are secondary to the main activities of the organization and are in fact mainly supervisory, a conflict of interest may nevertheless arise.
How to ensure there are no conflicts of interest?
If the job description of the Data Protection Officer in your organization is limited to the tasks under Article 39 of the General Data Protection Regulation, there is no need to consider conflicts of interest further. However, if there are also other tasks, the existence of potential conflicts of interest should be assessed at a low threshold. Depending on the organization, it may be good practice to draw up, for example, internal rules or a general statement on the activities of individuals that are incompatible with the duties of the Data Protection Officer. Adequate identification of the Data Protection Officer's role is also often justified.
A simple and straightforward option to avoid conflicts of interest is to appoint an external Data Protection Officer. At Fondia, we offer a Data Protection Officer service and would be happy to discuss any related issues with you. When you outsource your Data Protection Officer to Fondia, you can also be sure that your company will comply with data protection legislation while saving your employees' time and resources at the same time.