The Belgian Data Protection Authority’s decision 18/2020 has been saved
The Belgian Data Protection Authority’s decision 18/2020
Point of view
On 28 April 2020, the Belgian Data Protection Authority imposed a fine of €50,000 on a company for non-compliance with the requirements of the General Data Protection Regulation (GDPR) related to the independent role of the data protection officer (DPO). In this article, we examine the decision, which came as a surprise to many, and its impact.
DPO with a conflict of interest
The decision by the Data Protection Authority (DPA) imposed corrective action and an administrative fine on the defendant on the specific ground of the DPO’s conflicts of interest, which came as a surprise to many EU and Belgian multinationals but also smaller companies. However, the DPA’s reasoning aligns with the fundamental conditions the GDPR has set forth with regard to the DPO’s assignment and performance of tasks. It also echoes best practices that have already been emphasised in EU regulators’ guidelines on the same topic.
In this specific case, the DPA found that the company in question failed to provide sufficient evidence proving that there was no (potential) conflict of interest for the person assigned as DPO despite the other positions they held in the company. In its analysis, the DPA clarified that each case relating to a possible conflict of interest for the DPO should be assessed on a case-by-case basis based on the specifics of the situation, while taking into account the measures that the company has put in place to safeguard the independent controlling role of DPO in the organisation.
Decision sheds light on other important elements
This decision has brought forward interesting insights into other topics triggered by the investigation procedure. It has notably clarified the multi-layered and transversal effect of accountability as a principle that should be observed not only when checking whether a company meets the foundational data protection principles (fairness, data limitation, proportionality…) but also any other obligation set forth in other sections of the GDPR, including the data breach notification.
It also highlighted the central role of keeping documentation related to incidents, regardless of the risk attached to them, as well as the obligation to ensure the effective involvement of the DPO in its consultative role early on in the incident management/data breach notification procedure.
Deloitte view on Belgian DPA Decision - Lessons learned
In this Point of View we explore the main lessons learned from this decision by the Belgian Data Protection Authority.
Deloitte view on Belgian DPA Decision - Detailed analysis
Read here a more detailed analysis of the Authority’s reasoning in this case, including the procedural aspects of the investigation.