Bank fined due to a conflict of interest regarding its DPO Summary Decision of the Belgian DPA An individual filed a complaint with the Belgian The Belgian DPA fined the bank 75,000 EUR for the DPA, claiming that a bank had violated his right to following violations: rectification (GDPR, Article 16). During the investigation, • Failing to ensure the independence of the DPO the DPA broadened its scope to examine a potential (GDPR, Article 38(6)). conflict of interest regarding the bank’s data protection officer (DPO). The Belgian DPA examined the different • Failing to provide the data subject with requested roles assumed by the DPO. In addition to being the information (GDPR, Article 15). DPO, the employee also headed the bank’s operational risk management department, the information risk The bank was also ordered to implement a compliance management department, and its special investigation process to properly handle access requests from its unit. clients. It follows from GDPR, Article 38, that a DPO may have Our remarks other roles within a company. However, the tasks and • Organizations should exercise caution when duties of the DPO must not result in a conflict of interest. appointing DPO’s who hold multiple roles within the The bank claimed that the DPO merely held a company. Conflicts of interest may arise if the DPO position of formal responsibility as head of the three acts as the head of other departments where they departments. As such, his supervisory role did not are responsible for making decisions related to the entail decision making competences in relation to the purposes and means of personal data processing purposes and means of personal data processing. in some capacity. To support its argument, the bank referred to the • Avoiding conflicts of interest is always important to organizational structure of the departments and prioritize when appointing a DPO, regardless of the previous caselaw from the Belgian DPA. However, size of the organization. However, in cases where the DPA proceeded to evaluate to what extent the organizations process personal data relating to a independence of the DPO was ensured with respect to large number of data subjects, as in the present each of the three departments. case, the presence of a conflict of interest is even The DPA determined that issues regarding conflicts of more significant. The greater the number of data interests must be determined on a case-by-case basis, subjects potentially impacted, the higher the risk of taking into account the data controller’s organizational harm due to conflicts of interest, and as a result, the structure. The DPA then found that the organizational larger the potential fine that may be imposed. structure of the bank de facto resulted in the DPO having responsibilities and performing tasks as head of the three departments that were incompatible with his role as DPO. Published: 16-12-2021 Journal number: DOS-2020-03763 Tags: 01 Legal basis and principles of processing 78