Avocat droit du travail Lyon
Legal news 19 June 2020

The separation of powers in a company or the dpo’s guarantee of independence

By Ydès

As a reminder since the entry into force of the GDPR (general data protection regulations) on May 25, 2018 some companies are obliged to appoint a Data Protection Officer (DPO).

The following missions are conferred upon the DPO:

  • inform and advise the data processorwith regard to the obligations for personal data protection;
  • controlthe respect of GDPR by conducting compliance audits;
  • advise the data processoron carrying out an impact analysis on privacy;
  • manage the interactions with the French Data Protection Authority (CNIL)(or any other control body) and in this regard, ensure the correspondence with the latter.

The DPO may play a sensitive role and accordingly, the latter may not be judge and party.

He must be independent and must not hold a political office in a company (for example, general director, financial director, marketing director, human resources director, I.T. director…) or any other office of a lower level if the latter implies defining the purposes and means of processing personal data, which would result in a conflict of interest.

In its decision rendered last 28th of April, the DPA made the following remarks:

  • the non-respect by a company of its obligation to prevent a conflict of interest by the Data Protection Officer (Article 38.6 of the GDPR),
  • the Data Protection Officer’s insufficient involvement (Article 38.1 of the GDPR).

The Belgian data protection authority was referred to following a data breach in a company’s premises: due to an error in the selection of email addresses, a certain number of invitations related to independent professionals (and, accordingly, to the electronic invoices) were sent to secondary email addresses corresponding  to a client in the company’s database, but which did not have a direct relation with the client in question. These secondary contacts were administrative or technical contacts.

 

CONFLICT OF INTEREST :

“The Data Protection Officer may perform other missions and tasks. The data controller or officer must ensure that these missions and tasks do not result in a conflict of interest.” (Article 38.6 of the GDPR)

  • Plurality of tasks and guarantee of independence

In this matter, the Belgian authority held – that a conflict of interest existed as the DPO held the positions of compliance department director, audit department director and risk management director in the same company, and that these tasks involved an operational responsibility in the data processing processes under these three departments.

The defendant company upheld that these different functions only involved limited risks of conflict of interest insofar as they only had a purely consultative role concerning the data processing activities.

Nonetheless, the Belgian Data Protection Authority ruled that the plurality of offices inevitably implies that this person defines, for each department, the means and purposes of the personal data processing and accordingly, acts as data processor but also as DPO of these three departments.

  • Combining the roles of data controller and DPO, as the same individual, does not enable the compliance of the respect of the DPO’s independence obligation.
  • The plurality of tasks and the respect of confidentiality

The Belgian Data Protection Authority also considers that the plurality of these functions may result in an insufficient guarantee of secrecy and confidentiality with regard to the members of the personnel.

In this matter, it is mentioned that the defendant company processes the personal data of millions of individuals. The DPA considers that in this regard, the DPO must provide effective guarantees for the confidentiality of the data, which is not evidenced in this case.

  • Combining the roles of data controller and DPO may have an impact on data confidentiality.

 

THE DPO’S INSUFFICIENT INVOLVEMENT:

The Belgian data authority has just recalled to the defendant company the principle set forth in Article 38.1 of the GDPR pursuant to which the DPO must be “associated, appropriately and duly, to any questions relating to personal data protection”.

In this matter, the defendant company considered that the DPO should be informed -but not consulted on the risk evaluation process.

On this point, the Belgian data protection authority recalled that the DPO must have a consultative role with regard to the data controller on the risk evaluation process, but must not be co-responsible for the final decision. Occasionally, it considers that the elements provided do not evidence a breach of Article 38.1 of the GDPR.

 

SANCTION FOR A CONFLICT OF INTEREST :

The Belgian data protection authority sentenced the company to pay an administrative fine of 50,000 euros for a breach of the provisions of Article 38.6 of the GDPR.

This sanction is particularly justified given the nature and gravity of the breach, the duration of the latter and also the significant amount of data processed (in this case, millions of data are processed by the defendant).

Even although this may appear to be significant in this case, it must be recalled that it only represents a minute percentage of the billions of euros of this company’s turnover.

In conclusion, in light of this decision, it must be borne in mind that the combination of the role of Data Protection Officer with that of director of a department which the Data Protection Officer is required to monitor cannot take place independently..

It must also be mentioned that in one of its opinions issued, the working Group for Article 29 already emphasized that:

The absence of a conflict of interest is closely related to the obligation to act independently. Even although the DPD are authorized to carry out other duties, a DPD may only be granted other missions and tasks under condition that the latter do not result in a conflict of interest. This means, in particular, that the DPD may not carry out a duty in an organization which results in defining the purposesand means of processing the personal data. Due to the specific organizational structure of each organization, this aspect must be analyzed on a case by case basis”.

Today, we have to admit that the obligation of independence is often disrespected with many DPO simultaneously holding the role – with that of director or head of a department, -, within small and medium sized companies (SME)…

To enable the DPO to exercise his missions independently and to ensure the confidentiality of the data processed, Ydès proposes its assistance for companies in the appointment and training of their DPO in-house or to ensure the duties of DPO externally.