Menu

Filter by
content
PONT Data&Privacy
  • PONT home
    • mill

    0

    One thing is certain: the positioning of the FG is high on the agenda

    After more than four years of the AVG, the position of the data protection officer (FG) within an organization has not yet been implemented correctly in practice. This while regulators have the subject high on their agenda, writes Eliëtte Vaal (The Data Lawyers) together with David Wesselman.

    Eliëtte Vaal

    2 January 2023

    Blog

    Blog
     

    Independence FG

    The AVG requires that the FG can act autonomously in the performance of his duties. This obligation rests on the processor or data controller. The latter must ensure that the FG is involved in a timely manner, does not receive instructions regarding the performance of his duties, has sufficient resources, and does not perform tasks and duties that lead to a conflict of interest and impair the independent position. The European regulators' interpretation of this independence dates back to 2017 (1). It states that an FG "cannot hold a position that requires him or her to determine the purposes and means of processing personal data". Positions in senior management are therefore incompatible with the independent position of the FG. Whether a conflict of interest actually exists must be assessed on a case-by-case basis, according to the regulators. There is no further discussion of specific duties that are incompatible with the performance of the FG's role.

    Vision AP

    The Autoriteit Persoonsgegevens (AP) sought to clarify the positioning of the FG in a vision document in 2021 (2). This was only partially successful because the document contains mostly general principles. In addition, the document mostly repeats the views of the EDPB from 2017. For example, it confirms that the positions of head of finance, strategy, marketing, IT, HRM or CISO - due to operational responsibility for data protection - are not compatible with the position of the FG. The AP does explicitly state in the vision document that the FG cannot represent the organization in court. A real clarification with concrete examples about which other tasks are incompatible with the role of the FG and where the advisory task finds its limit is lacking. It is striking that in its recent FG newsletter, the AP does expect organizations to draw up policies naming the tasks that are incompatible with the FG's role (3).

    Independence in practice

    In practice, we see that many organizations cannot (yet) properly ensure the independence of the FG. A recent survey by the CIP (Center for Information Security and Privacy Protection) conducted among FGs from the public domain shows that FGs are increasingly faced with conflicts of interest. By 2022, 33% of FGs surveyed said they are concerned about or have experienced a conflict of interest (see Figure 1). In 2018, this percentage was only 12%. Also in our own practice, we see more often that FGs have responsibility for operational tasks in privacy compliance in addition to their supervisory duties. This is the case, for example, when an FG is responsible for drafting policy, which does not relate well to the supervisory task.

    Fines

    Despite the lack of guidance, fines have already been imposed for violations of Article 38 AVG. The best-known example is the Belgian data protection authority's (the GBA) fine of EUR 50,000 to the telecom company Proximus for conflicts of interest of the appointed FG. In addition to being an FG, the FG was also director of the compliance, risk management and internal audit departments and ultimately responsible for drafting policy. According to the GBA, there was a conflict of interest because it is not possible for an FG to be able to independently supervise the departments for which the FG himself is responsible as head. By definition, according to the GBA, this led to a conflict of interest. The fact that the compliance, risk and audit departments had only an advisory function did not alter this, according to the GBA. Recently, the Berlin AP also announced that it had fined an e-commerce company EUR 525,000 for the FG's conflict of interest (5). Within this company, the FG simultaneously performed the role of managing director of two affiliated companies that acted as "processors" for the data controller and had to be supervised.

    New action supervisors

    Enforcement is expected to increase. Recently, the EDPB announced that the 2023 Coordinated Action focuses on the designation and role of the FG (6). A coordinated action is a power of the EDPB to work with all national authorities to issue a shared vision or action on an issue related to the AVG. The goal is for national authorities to prioritize the chosen issue and work together for effective enforcement. What powers the regulators will use on this topic remains to be seen. What is certain is that this year European regulators, including the AP, are forced to put the positioning of the FG high on the agenda. Organizations would therefore do well to critically assess the positioning of their FG and establish how independence is guaranteed. Additional guidance on this point from the AP is very welcome as far as we are concerned.

    1. https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/wp243_rev01_enpdf_0.pdf

    2. https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/positionering_van_de_fg.pdf

    3. https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/nieuwsbrief_voor_de_fg_1_november_2022.pdf

    4. https://cdn1.dpia.nu/uploads/Editor/20220913-fg-enquete-cip.pdf

    5. https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2022/20220920-BlnBDI-PM-Bussgeld-DSB.pdf

    6. https://edpb.europa.eu/news/news/2022/edpb-adopts-statement-european-police-cooperation-code-picks-topic-next-coordinated_en

    The Data Lawyers

    Share article

    Comments

    MORE REACTIONS

    Leave a comment

    You must be logged in to post a comment.

    NEWS

    a computer generated image of a human brain

    Nederlandse verzekeringssector omarmt AI

    News/press release

    Digitale omnibus: de achtergrond (1/4)

    Blog

    Maatschappelijke organisaties roepen EU op tot versterking 'digitale eerlijkheid'

    News/press release

    AP: Wetsvoorstel online informatie verzamelen door politie schiet tekort

    News/press release

    Voor het handhaven van de openbare orde wil het kabinet de politie vergaande bevoegdheden geven om online informatie over mensen te verzamelen. Zonder dat zij ergens van worden verdacht....

    Rijksmedewerkers gaan beter om met overheidsinformatie

    News/press release
    Digitale Overheid
    aerial photography of city

    “Het wordt tijd dat we kiezen en uitvoeren”

    News/press release

    Publieksevenement: de “Slimme” Deurbel?!

    News/press release

    Parlement steunt verlenging tijdelijke regels tegen online seksueel misbruik van kinderen

    News/press release

    Cloudsoevereiniteit en AI-versnelling: de botsing die niemand benoemt

    Blog
    PwC

    E-course DPIA

    Upon completion of the e-learning DPIA, you will have a complete understanding of the theoretical and legal framework of DPIAs. All aspects are covered, including: when a DPIA is mandatory, what the substantive requirements are, and what standards and regulations apply to DPIAs. You will also be explained practical DPIA models.

    Learn more

    Handbook of DPIAs

    View book

    DPIA practice day

    Work with course instructors through the entire DPIA process and cover various practical DPIA models. Thus,DPIA becomespart of privacy risk management.

    Learn more

    Cursus: Inzage- en verwijderverzoeken

    Individuals are increasingly invoking their privacy rights. For example, they ask for a copy of their data or, on the contrary, demand that the organization erase all their data. This raises complex questions. It is a challenge for many organizations: how can they fulfill all these requests efficiently but also properly? On the one hand, privacy compliance is important; on the other hand, you do not want to disadvantage your own position of proof in any future proceedings. A tricky matter with many pitfalls. This course gives you the tools to handle privacy requests efficiently and compliantly. The instructor uses many practical examples and concrete cases are worked out together so that your practical questions are directly addressed.

    Learn more

    Privacy laws and regulations in employment law

    View book

    Join PONT | Data & Privacy

  • Access to Knowledge Base
  • Read e-books
  • Contact with peers
  • Own news overview
    • BECOME A MEMBER

    General

    Service

    Navigate

    Berghauser Pont Media Group

    CONTACT

    𝕏

    Copyright 2026 Berghauser Pont | Website created by Buro Zero