What future for in-house DPOs?
The Belgian Data Protection Authority (DPA) recently issued Decision no. 18/2020 concerning the conflict of interest and independence within the function of an in-house DPO, setting a rather strict interpretation of the notion of conflict of interest of Article 38(6) of GDPR. The DPA had previously issued a Recommendation warning on the risk of the DPO’s conflict with different functions, including that of security officer.
While initially investigating on other matters, the DPA found the defendant in breach of Article 38(6) of GDPR because it had appointed as DPO its own Head of Compliance, Risk and Audit. In fact, the DPO’s position was, according to the DPA, not sufficiently free from a conflict of interest and not sufficiently involved in discussions on personal data breaches (as per Article 38(1) GDPR). The DPA also observed that it is not enough to provide that the DPO be “informed” – as it should rather be “consulted” in all matters related to personal data.
Two main takeaways of the Decision:
Involvement of the DPO in your organization. The DPO must be duly and timely involved in all data protection matters (Article 38(1) GDPR). If the DPO’s involvement is reduced to merely (ex post) informing him/her of a decision already taken, the DPO’s function is eroded. This aligns with the WP29’s Guidelines on Data Protection Officers, highlighting the importance of involving the DPO as early as possible in any data protection-related matter. To enable GDPR compliance, early consultation with the DPO should be a standard procedure within your organization’s management (data protection by design). The DPO should be an interlocutor within your organization and be involved in relevant teams and working groups dealing with data processing. Risk assessment process. The GDPR requires that the DPO act in an advisory capacity, but not that he or she be co-responsible for final decisions. Therefore, involving the DPO and allowing him or her to carry out the analysis of the data protection risk independently, and be then informed of the final decision taken by those in charge, is GDPR-compliant.
Conflict of interest of your in-house DPO. In this case, the defendant argued that the person appointed as DPO was also responsible for compliance, risk management and internal audit, but that he did not take decisions in the exercise of those functions, having only an advisory role. The defendant also argued that it would have taken the necessary measures internally in case of conflict of interest. The DPA found that responsibility over those departments implied that the person in fact determined the purposes and means of processing falling under those domains.
As noted in the mentioned WP29 Guidelines and in a previous German case, the DPO cannot hold a position where he or she determines the purposes and means of personal data processing. Therefore, the DPA holds that the cumulation of the function of a departmental manager to be supervised by the DPO, is inconsistent with the DPO function, as this conflicts with their ability to perform tasks in an independent manner. It could also lead to ensuring insufficient levels of secrecy and confidentiality guarantees towards other staff members (Article 38(5) GDPR).
While the GPDR explicitly allows the DPO to be an internal member of staff (Article 37(6) GDPR), as thoroughly explained in the WP29 Guidelines, it becomes key to ensure separation of functions and responsibilities.
In accordance with the mentioned WP29 Guidelines, the DPA identifies as good practice for controllers or processors, depending on the activities, size and structure of their organization, to:
- Identify incompatibilities with the function of DPO;
- Draw up internal rules to this effect in order to avoid conflicts of interests;
- Include a more general explanation about conflicts of interests;
- Declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement;
- Include safeguards in the internal rules of the organization and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests (which may be different depending on whether the DPO is recruited internally or externally).
Does this Decision mean you should substitute your in-house DPO with an external one?
Not necessarily. The fate of this Decision is still uncertain as it may be subject to appeal. What should be noted is that (i) appointing as DPO a person who performs other tasks within your organization entailing significant operational responsibility for data processing may violate the GDPR; and (ii) the cumulation of functions resulting in self-monitoring should be avoided.
As an essential good practice, your organization should provide conflict of interest and other internal rules to deal with potential conflicts of interests and safeguard your in-house DPO’s independence.
Do not hesitate to contact us should you require further information and assistance on the issue discussed in this note, or any other data protection and privacy-related matter.