Bel­gi­um: Manage­ment of staff posi­ti­ons (Head Legal, Head Risk, etc.) incom­pa­ti­ble with the role of DPO?

The Data Pro­tec­tion Offi­cer within the mea­ning of Art. 37 et seq. GDPR (DPO) must, among other things, be independent:

• Pur­su­ant to Art. 38 Para. 3, the fol­lo­wing shall app­ly to him “in the per­for­mance of his duties, no ins­truc­tions as to the per­for­mance of such duties” may be issued, and the DPO “may not be remo­ved or dis­ad­van­ta­ged by the con­trol­ler or pro­ces­sor becau­se of the per­for­mance of his or her duties”.
• Accor­ding to Art. 38 (6) GDPR, the DPO may per­form other tasks and duties; howe­ver, it must be ensu­red that the­se do not lead to a con­flict of interest.
• Reci­tal 97 fur­ther sta­tes that DPO shall “whe­ther or not they are employees of the con­trol­ler, may per­form their duties and func­tions with com­ple­te inde­pen­dence” must.
• The EDSA, or rather the Artic­le 29 Working Group at the time, inclu­ded in its­elf in its gui­de­lines on DPOs (Gui­de­lines on Data Pro­tec­tion Offi­cers) in sec­tions 3.3 and 3.5.

It is clear, then, that a DPO can­not have exe­cu­ti­ve func­tions. The EDSA on this:

As a rule of thumb, con­flic­ting posi­ti­ons within the orga­nizati­on may include seni­or manage­ment posi­ti­ons (such as chief exe­cu­ti­ve, chief ope­ra­ting, chief finan­cial, chief medi­cal offi­cer, head of mar­ke­ting depart­ment, head of Human Resour­ces or head of IT depart­ments) but also other roles lower down in the orga­nizatio­nal struc­tu­re if such posi­ti­ons or roles lead to the deter­mi­na­ti­on of pur­po­ses and means of pro­ce­s­sing.[…]

The Bava­ri­an Sta­te Data Pro­tec­tion Office has the­r­e­fo­re alre­a­dy in 2016 deci­dedthat an IT mana­ger can­not be a DPO:

In the opi­ni­on of the BayL­DA, such a con­flict of inte­rest exi­sted in the case of a data pro­tec­tion offi­cer of a Bava­ri­an com­pa­ny who held the posi­ti­on of the company’s “IT mana­ger”. Such an expo­sed posi­ti­on with regard to the company’s data pro­ce­s­sing pro­ce­du­res is gene­ral­ly incom­pa­ti­ble with the duties of a data pro­tec­tion offi­cer. This would ulti­m­ate­ly amount to a data pro­tec­tion con­trol of one of the key func­tio­n­a­ries to be con­trol­led in the com­pa­ny by himself.

Howe­ver, it does not fol­low that, for exam­p­le, a Head of Legal, Gene­ral Coun­sel, Head of Com­pli­ance, etc. can­not act as DPO as long as this does not invol­ve an exe­cu­ti­ve func­tion in a busi­ness area; in this case, no con­flict of inte­rest should ari­se. Howe­ver, the Bel­gi­an regu­la­tor has now appar­ent­ly impo­sed a fine of EUR 50,000 on April 28, 2020, on a com­pa­ny who­se DPO is the Head of Inter­nal Audit, Risk Manage­ment and Com­pli­ance Depart­ment was. As far as can be seen, the decis­i­on is no lon­ger available on the web­site of the Bel­gi­an aut­ho­ri­ty; howe­ver, cf. e.g. the reports by Link­la­ters and Field Fisher.

Accor­din­gly, in the spe­ci­fic case, the DPO was invol­ved in the pro­ce­s­sing of a data secu­ri­ty breach. Bey­ond the indi­vi­du­al case, howe­ver, the aut­ho­ri­ty was of the opi­ni­on that the head of the­se depart­ments was ulti­m­ate­ly neces­s­a­ri­ly respon­si­ble for the pro­ce­s­sing of per­so­nal data in con­nec­tion with the com­pli­ance, risk and audit acti­vi­ties, which is why he could not be inde­pen­dent. As a rule of thumb, the Direc­tion of any (staff or busi­ness) func­tion incom­pa­ti­ble with the office of DPO..

This atti­tu­de is cer­tain­ly extra­or­di­na­ri­ly strict, and it con­tra­dicts a wide­spread practice.