27 May Is your DPO in conflict of interest ?
On 28 April 2020, the Data Protection Authority (DPA) imposed a fine of EUR 50,000.00 on a company (Proximus) for failing to comply with its obligation to avoid a conflict of interest on the part of its Data Protection Officer.
The GDPR describes the function of the Data Protection Officer (DPO) and specifies that the controller or processor must in particular ensure that the other tasks and duties that this person would perform within the company may not lead to a conflict of interest with his or her function as DPO or compromise his or her independence.
Following a data leakage (sending invoices to the wrong e-mail addresses of clients), an investigation was carried out by the DPA inspection service which, on that occasion, noted the existence of a conflict of interest between the function of Director of Compliance, Risk Management and Internal Audit and that of DPO otherwise exercised by that person.
In the context of these compliance and audit functions, this person had significant operational responsibility which meant that he was able to determine the purposes and means of processing personal data in the context of these functions. This role of data controller in a department is, the DPA says, incompatible with the function of DPO, who must be able to perform his or her tasks independently and, in the present case, the plurality of functions prevents any possible independent control by the DPO. The DPA adds that this accumulation of functions may also lead to an insufficient guarantee of secrecy and confidentiality vis-à-vis staff members.
This decision could lead many companies to replace their current DPOs. It should also be recalled that under the obligation of accountability – which refers to the obligation for companies to implement internal mechanisms and procedures to demonstrate compliance with data protection rules – it is necessary to document the assessment of whether or not it is necessary to appoint a DPO and, if so, to ensure its expertise by making recommendations on the matter.
For more information on that subject, feel free to contact Antoine DECLEVE esq. (email@example.com).
The Cairn Legal team.