DPOs and Conflicts of Interest: Key Takeaways
As the function of Data Protection Officer (DPO) plays a crucial part in ensuring an efficient and secure processing of personal data, the EU General Data Protection Regulation (GDPR) places particular emphasis on the need for such officers to exercise their function in an independent manner. Given the need for such independence, this article briefly summarizes the current legal aspects related to the DPO appointment before outlining certain key steps that companies should always take in order to identify and avoid conflicts of interest.
Considered as a cornerstone of the accountability principle, the function of DPO plays a crucial part in ensuring an efficient and secure processing of personal data by controllers and processors. In this regard, the GDPR compels organisations that process personal data to appoint a DPO in certain specific situations set out in Article 37 of the GDPR. In addition, the European Data Protection Board (EDPB, formerly the Article 29 Working Party or WP29) and the Belgian Data Protection Authority (DPA) recommend that even if these situations are not met, companies still assign a DPO on a voluntarily basis to ensure assistance in complying with the GDPR. For both the mandatory and voluntary appointment, the decision to have a DPO (or not) must be documented.
Independence of DPOs
As a general matter, the GDPR emphasises the obligation of DPOs to exercise their function in an independent manner. Article 38 (6) of the GDPR hereby specifies that although the DPO may fulfil other tasks and duties than those set out in Article 39, it is the responsibility of the controller and the processor to ensure that none of these tasks lead to a potential conflict of interest.
According to the EDBP, the prevention of such conflicts entails that DPOs should not hold a position in which they would determine the means and the purpose of personal data processing. As enumerated by the EDPB, such positions could include:
• Senior management positions (such as chief executive, head of human resources, chief financial, etc.); and
• Lower ranked positions if such roles draw to the assessment of purposes and means of processing.
Belgian decision – benchmark for COI?
On 28 April 2020, the Belgian DPA reaffirmed the primordial necessity that DPOs be independent and imposed a fine of €50,000 on a telecommunications company for not complying with this obligation. In this case, the organisation at issue had appointed an internal DPO who also headed the company’s Compliance, Risk and Internal Audit department. The DPA therefore concluded that the DPO’s power of decision as head of the internal audit created a conflict of interest. In this regard, the DPA emphasised that whereas the mere analysis of processing of data was harmless to the righteous conduct of a DPO, the assessment of functioning of employees through internal audit was a different role that could lead to possible conflicts of interests with the tasks of a DPO.
Following the abovementioned decision of the Belgian DPA, the Luxembourg National Commission for Data Protection (NCDP) determined that the combined role of Chief Compliance Officer (CCO) and DPO is subject to conflict of interests. The NCDP recalled on this occasion that organisations must clearly demonstrate how multiple functions of a DPO do not lead to a conflict of interest. It is our understanding that with this case, the NCDP leaves the door open for DPOs to combine their core duties with other tasks provided that the company can demonstrate the safety of such combination.
Potential conflicts of interest of DPOs are determined on a case-by-case basis. As such, companies should always take the following steps in order to identify and avoid such conflicts of interest:
i. identify, in a proactive manner, positions incompatible with the role of a DPO;
ii. issue an internal regulation to prevent conflicts of interests;iii. increase awareness within the organization, for example through training sessions, of the tasks and duties of DPOs; and
iv. provide a job description for DPOs that is as detailed as possible.
Last, it should be noted that the hiring of an external DPO could minimise the risks of conflicts of interest, but this is not a panacea and its nomination should be handled accordingly to avoid any unpleasant surprises.
Do not hesitate to contact us should you require further information and assistance on the issues discussed in this article or any other data protection-related matter.