On 28 April 2020, the Litigation Chamber of the Belgian data protection authority (the “APD”) imposed a €50,000 fine on a Belgian company, for non-compliance with the requirements relating to the appointment and function of a Data Protection Officer (“DPO”) under the GDPR. In particular, the APD took the view that the DPO’s other role as the Director of Audit, Risk and Compliance created a conflict of interest and therefore constituted an infringement of Article 38(6) of the GDPR.
This decision highlights challenges to the independence of DPOs that fulfil other tasks and duties within a business alongside their DPO role, and has raised concerns for many organisations about their DPO appointments and data governance structures.
What does the GDPR say about the DPO’s role being independent and avoiding all conflicts of interest?
Recital 97 of the GDPR states that “data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. This autonomy is essential in order to ensure that the DPO can advise an organisation independently in relation to the organisation’s processing of personal data. Article 37(6) of the GDPR confirms that the DPO can be a staff member of the organisation, or alternatively, may fulfil the DPO’s tasks on the basis of a service contract.
Article 38 of the GDPR sets out a number of requirements for the position of the DPO, including that the DPO should be involved in all issues relating to the protection of personal data, be equipped with all necessary resources, directly report to the highest level of management, and that the DPO should not receive instructions from the organisation regarding the exercise of its tasks. Specifically in relation to conflicts of interest, Article 38(6) of the GDPR states that “The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.”
It is clear that the GDPR does not rule out the appointment of a DPO that also holds another role (or indeed roles) within the organisation. But how can you make sure that those additional roles do not result in a conflict of interest?
The Article 29 Working Party Guidelines on Data Protection Officers (the “WP29 Guidelines”), which have been subsequently endorsed by the European Data Protection Board, shed some light on this question. According to the WP29 Guidelines, the requirement to avoid other tasks and duties that give rise to a conflict of interest entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. This would give rise to a conflict of interest, as the DPO would be making decisions about data processing activities and also needing to advise independently in relation to those activities.
The WP29 Guidelines have said that conflicting positions within an organisation may include senior management positions such as the CEO, COO, CFO, chief medical officer, head of marketing, head of HR and head of IT. The WP29 Guidelines also consider that other roles lower down in the organisational structure may also present a conflict, if such positions or roles lead to the determination of the purposes and means of processing. Due to the specific organisational structure in each organisation, this has to be considered on a case-by-case basis.
Guidance from the UK’s data protection authority (the “ICO”) states that the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests. The example given by the ICO is a company’s head of marketing who plans an advertising campaign, including which customers will be targeted, the method of communication and the personal details that will be used. This person cannot also be the DPO, as the decision-making is likely to lead to a conflict of interest between the campaign’s aims and the company’s data protection obligations.
Similarly, the French data protection authority (the “CNIL”) states that the person occupying the role of DPO cannot be both “judge and jury”.
What happened in this case?
In this latest Belgian enforcement decision, the DPO did not occupy any of the senior management roles that are generally viewed as likely to give rise to a conflict of interest. Rather, the DPO’s other role was as the Director of Audit, Risk and Compliance.
The organisation took the view that the DPO’s other role was merely advisory, and that the person concerned did not take any decisions as to the purposes and means of processing of personal data.
However, the APD was not convinced by these arguments, and took a strict approach to the question of whether a conflict of interest arose. The APD’s view was that the DPO was doing more than merely advising the organisation internally, and that the person concerned was performing conflicting tasks in their role as Director of Audit, Risk and Compliance as they had significant operational responsibility for data processing activities within the domain of audit, risk and compliance. A person having responsibility for the Audit, Risk and Compliance departments implied that the person determined the purposes and means of the processing of personal data in those departments.
In deciding to issue an administrative fine (rather than just require an alternative DPO appointment), the APD acknowledged that the conflict of interest was not intentional, but considered there to have been serious negligence by the organisation concerned. The organisation may seek to appeal the decision.
What can organisations do to avoid a conflict of interest?
This decision has been surprising to many, not least because a DPO is often found within the compliance department of an organisation. However, one of the key factors in the APD deciding that the DPO was actually involved in determining the purposes and means of processing in their other role, appears to stem from the fact that this person was the director of the audit, risk and compliance function and therefore was more likely to be making these decisions. Organisations with a DPO that takes a similar dual role within the legal, audit, risk or compliance functions (or for that matter anywhere else with an organisation) may therefore want to look more closely at the independence and activities of that person, in order to determine whether a conflict of interest could arise. Key will be the level of seniority of the person and their ability to exercise control over the processing of personal data. This control does not have to be wider business operational; it could be just within their own department. This may cause a dilemma for organisations which, on the one hand need to appoint someone with sufficient experience and standing to perform the required functions of the DPO, but on the other hand, not too much such that they control the processing of personal data in their additional role.
Depending on the activities, size and structure of the organisation, it is therefore good practice for organisations to:
- identify the positions that may be incompatible with the DPO role, including in light of the latest APD decision;
- draw up internal rules to this effect in order to avoid conflicts of interest;
- reassess on a regular basis any internal DPO appointment where the appointee has additional roles to take into account any change in work in those additional roles that may result in a conflict; and
- if issues of capacity, expertise and/or conflicts of interest arise when determining an appropriate internal person to act as DPO, consider the appointment of an external DPO.