Fine due to conflict of interest of the internal DPO

Company: Bank (name not known)
Possible data protection breach: conflict of interest of the internal DPO.
Authority: APD (Belgian Data Protection Authority)
Amount of fine: 75.000 Euro

The Belgian data protection authority imposed a fine on an unnamed bank because its internal data protection officer was also the head of three departments with decision-making powers over the processing of personal data.

According to the supervisory authority, this led to a conflict of interest that violated Art. 38(6) GDPR. According to the GDPR, the internal DPO may perform other tasks and duties, but it must be ensured that the controller or processor does not have a conflict of interest.

As the simultaneous head of the Bank’s operational risk management, information risk management department and special investigation unit, this was not given.

The Belgian DPA argues that these activities are not purely advisory and supervisory functions. A conflict of interest is assumed whenever the DPO can decide on the processing of personal data himself.

The responsibility for the named departments lay with the internal DPO. Therefore, the DPA considered that there was a conflict of interest in violation of the GDPR.

On this basis, the AEPD imposed a fine of 75,000 euros on the bank.
The EDSA has issued guidelines on how to avoid conflicts of interest (WP 243). Depending on the size and structure of an organisation, or depending on the activities:

  • naming the positions that are incompatible with the function of a DPO,
  • establish internal guidelines in this regard to avoid conflicts of interest,
  • Provide a general explanation of potential conflicts of interest
  • declare that the DPO has no conflict of interest in relation to his or her function and in this way raise awareness of this requirement
  • include safeguards in the company’s internal policies and ensure that the job description for the position of DPO or the relevant service contract is sufficiently precise and accurate to avoid conflicts of interest.
  • If applicable, alternatively appoint an external DPO – as this can avoid internal conflicts of interest based of Art. 38 (6) GDPR.