Belgium – Can a “head of” act as a data protection officer?
As part of its assessment of a company’s response to a data breach, the Belgian regulator has decided that a Head of Audit, Risk and Compliance cannot act as a data protection officer. We consider the wider implications of this decision and assess the impact outside Belgium.
The issues arise from decision No. 18/2020 of 28 April 2020 of the Litigation Chamber of the Belgian Data Protection Authority in relation to an unnamed company (“Company Y”). The identity of the company was not disclosed, but the Authority stated that its revenue was approximately EUR 4 billion, indicating that it is a large organisation.
Company Y emailed its customers (mostly self-employed professionals) about switching from paper to electronic invoicing, but used both their primary and secondary email addresses for that purpose. As result, emails and even invoices were accidentally sent to administrative/technical staff of those professionals.
Company Y filed a data breach notification with the Authority. This resulted in extensive correspondence with the First Line Service for the Authority. They reported the breach to the Management Committee, which decided to refer the case to the Inspection Service and eventually brought the matter before the Authority’s Litigation Chamber.
The dispute raised a series of procedural issues. Company Y argued that the First Line Service had exceeded their powers by taking actions reserved for the Inspection Service. The Litigation Chamber did not respond directly to this allegation but considered that Company Y’s right of defence was not violated because it had the opportunity to present its full case before the Litigation Chamber.
The Inspection Service also alleged that Company Y used techniques referred to as the “Ten D’s” to avoid cooperating with the Belgian Authority (as required under Article 31, GDPR). However, this first allegation was not substantiated, and the Litigation Chamber decided that Company Y had cooperated with, and responded to questions from, the Authority.
The need for a data breach procedure
In terms of the substantive issues, the Inspection Service alleged Company Y breached its accountability obligation by refusing to:
- disclose who was responsible for taking a decision on the risk assessment for the breach to determine if the breach should be notified to the Authority and the degree of seriousness indicated in the notification form; and
- provide its framework for carrying out this risk analysis. Instead, it alleged Company Y just provided vague principles and explanations.
The Litigation Chamber also rejected these allegations, although the dispute underlines the importance of documenting data breaches (including their risk assessment) and having a well- documented process to deal with data breaches.
The role of the DPO
The Inspection Service’s third and last allegation was that the data protection officer:
- was not sufficiently involved in discussions surrounding data breaches in violation of Article 38(1), GDPR; and
- was not sufficiently independent to prevent conflicts of interest in violation of Article 38(6), GDPR. This was because the DPO also acted as its Head of Audit, Risk and Compliance.
In relation to the first issue, the Inspection Service relied on a RACI-matrix in which the DPO was only “informed” but not “consulted’” about the result of the data breach risk assessment (which was carried out by the business) and the fact that a data field titled “advice of the DPO” in the data reporting form for this particular breach was left blank.
The Litigation Chamber agreed that it is insufficient for the DPO to just be “informed” about the breach and that consultation with the DPO was needed as early as possible in the process. However, in this case, the evidence suggested that the DPO had been properly involved in the breach response.
“Heads of” cannot be a DPO?
The Litigation Chamber’s decision on the second issue has broader implications. Company Y considered that its DPO, acting as Head of Audit, Risk and Compliance, only has an advisory role and does not take decisions as to the purposes and means of data processing activities (as per the A29WP’s Guidelines on Data Protection Officers). Moreover, that Audit, Risk and Compliance departments are all supervisory functions that, by definition, are independent.
The Litigation Chamber disagreed. The DPO, as head of those departments, would necessarily have to take decisions about the purpose and means of the data processing activities and so cannot be independent. This approach was supported by a German case (decision by the Bavarian data protection authority involving an IT manager, available here) and commentary from an academic (De functionaris voor gegevensbescherming, Cahier editie 2, Politeia, pp. 119 – 121, F. Schram). Finally, Company Y only put in place a procedure to avoid conflicts of interests after the first exchanges with the Authority.
Importantly, this finding has broader application. The Litigation Chamber stated that, as a general rule, the position of head of a department is incompatible with the position of DPO in relation to that department’s activities.
A breach worthy of a fine
The Litigation Chamber gave Company Y three months to correct the issue and imposed a fine. It justified the decision to fine by indicating that the violation of the GDPR was serious and that it should have been clear to a company such as Company Y, especially as its core business involves the processing of personal data. Company Y also failed to correct the situation until the date of the hearing.
The fine imposed was EUR 50,000, which is the highest fine imposed by the Authority to date.
Just a Belgian problem?
The approach taken by the Belgian Authority arguably goes beyond the EU-wide guidance to date. The A29WP’s Guidelines on Data Protection Officers refers specifically to “chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments” as positions that conflict with the role of the DPO. The rationale is that these are all very data-heavy roles and anyone running one of these departments should not be marking their own homework. For example, the head of a marketing department’s desire to use and exploit customer data will create obvious conflicts with the organisation’s obligations under the GDPR.
The A29WP’s Guidelines acknowledge that conflicts can arise more widely and other roles lower down in the organisational structure can create conflicts if they lead to the determination of purposes and means of processing. However, the decision by the Litigation Chamber makes the blanket assertion that the position of “head of” any department is incompatible with the position of DPO in relation to that department’s activities.
This potentially creates concerns for organisations who have already appointed a “Head of Legal” or “Head of Compliance” as a DPO, and greater problems for smaller organisations where staff may have to wear many hats. In practical terms, the key steps to address this issue are likely to be to:
- identify in advance where conflict of interest issues may appear. For example, the Belgian Authority’s decision refers to the fact the Head of Audit, Risk and Compliance could undertake investigations that may lead to the dismissal of a specific employee. This raises clear data protection issues and might clash with his DPO role; and
- address these issues by taking, and documenting, mitigating measures. For example, this might include a “four-eyes” principle for decisions where a conflict arises so that the “head of” only makes a recommendation and the final decision is left to someone else.
It is not clear if other regulators will follow suit. As things stand, even if you do not have the Belgian Authority as your lead supervisory authority or you have no establishment in Belgium at all, it would be wise to nevertheless consider the two practical steps above although it might be too early to completely overhaul the DPO structure within your organisation.The decision is accessible on the Belgian Authority’s website here (in Dutch).
 The BE PDA refers explicitly to two website detailing these techniques, namely http://www.aalep.eu/recognizing-your-opposition-tactics-and-responding-them and https://ctb.ku.edu/en/table-of-contents/advocacy/respond-to-counterattacks/overview-of-opposition-tactics/main.