Belgian company is fined €50,000.- for appointing a DPO who holds a legal position in the company on grounds of “conflict of interest.”
It seemed logical that many companies left the role of the DPO to the head of the legal department within the company. This motivation also grew because this position did not yet exist in most EU countries, creating a high demand for people who had the right profile.
According to Art. 38.6 of the GDPR, it currently stipulates that organizations may appoint a DPO who performs other duties and tasks within the company.
Although that the Article 29 Group recognized that this assessment differs from company to company, positions such as business manager, marketing manager, HR manager or IT manager were already seen as positions that could involve conflicts.
So 1000s of companies chose to appoint their head of compliance or this one from the legal department as DPO!
Since these “professionals” have great affinity with legal compliance and how to put it into practice AND since they are not involved in decision-making for important data processing such as HR data, customer data, patient data, etc., this seemed logical.
So the Belgian data protection authority sees it differently, putting all these organizations at risk of fines.
The DPO online
The Belgian data protection authority’s decision sets a precedent, although it is still subject to appeal. Establishing a solid procedure that allows you to deal with conflicts of interest requires that your DPO actually meets the legal requirements as well as being able to act independently of the conflicting DPO.
For online GDPR advice, contact a DPO here.
