Are you in the right seat(s) as FG?

GBA investigation and violation of Article 38(6) AVG: Conflict of interest

As part of the investigation, the GBA assessed the controller's compliance with the obligations under the AVG. One part of this investigation concerned the position of the FG under Article 38(6) AVG. This article paragraph reads as follows:

Art. 38(6) AVG: "The data protection officer may perform other tasks and duties. The controller or processor shall ensure that these tasks or duties do not lead to a conflict of interest."

In defendant's company, the FG also held the position/role of Head of Compliance, Risk Management and Internal Audit.

The GBA notes that responsibility for each of these three departments unmistakably implies that that person in that capacity determines the objectives of and means for the processing of personal data within these three departments and thus is responsible for the data processing processes that fall under the domain of compliance, risk management and internal audit.

The WP29 Guidelines explain that the data protection officer cannot hold a position within the organization that requires him or her to determine the purposes and means of processing personal data. This is thus a substantial conflict of interest. Thus, the role of a department's controller is incompatible with the function of data protection officer who must be able to perform his duties independently. Moreover, the cumulation of these functions may lead to an inadequate guarantee of secrecy and confidentiality towards staff members in accordance with Article 38(5) AVG. The GBA considers that the violation of Article 38 (6) AVG has been proven.

The GBA proceeds to impose a 1) corrective measure: namely, bringing the processing into compliance with Article 38(6) AVG, and 2) an administrative fine of €50,000. In doing so, the GBA considers that there is no intentional breach. However, a company such as that of the Respondent can be expected to act in accordance with the AVG as of May 25, 2018, which has not happened.

What can we learn (more) from this decision?

First, it is important that the FG be independent and not receive instructions on how to perform his function as FG.

It also clarifies that the FG must be properly and timely involved in all matters related to the protection of personal data. Ensuring early involvement of the FG will enable compliance with the AVG.

Furthermore, the role and position of the FG should not involve a conflict of interest. Thus, the FG may not determine the purpose and means of data processing. The WP29 (EDPB) additionally indicates in its guidelines that positions such as (general) director, director of operations, financial director, medical director, head of marketing, head of HRM or head of ICT, as well as lower positions within the organizational structure, insofar as these persons determine purposes and means of processing, are incompatible with that of FG.

Appoint internal or external FG?

To avoid a conflict of interest, a controller can, of course, appoint an external FG.

Again, there should be no conflict of interest. This is generally less likely to be the case as with an internal FG.

The absence of a conflict of interest is closely related to the requirement to act autonomously (independently).

Moreover, a conflict of interest may also arise, for example, when an external data protection officer is asked to represent the controller or processor in court in litigation over data protection issues. Thus, combining the function of FG and lawyer is not obvious.

What consideration should a data controller give to the position of FG?

Depending on the activities, size and structure of the organization, it may be good practice for controllers or processors to:

• Identify positions that may be incompatible with the FG position;

• establish internal rules to that end to avoid conflicts of interest (for example, an FG Statute, or FG Charter);

• include a more general explanation of conflicts of interest;

• to declare that the FG has no conflict of interest in his position as FG;

• include safeguards in the organization's house rules and ensure that the vacancy for the position of FG or the service agreement is sufficiently specified and detailed to avoid conflicts of interest. In this regard, we should keep in mind that conflicts of interest can take various forms depending on whether the FG is recruited internally or externally.

See also: Belgian privacy regulator on accountability: what does this explanation mean for security incidents?

See also: Proximus receives record fine for AVG violation

More articles from PrivacyTeam

This article can also be found in the Accountability file