Through recent decisions, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) has examined the role of the Data Protection Officer (DPO) and set out its own interpretation of the requirements for this role, as well as the DPO's tasks.
In each case, the Litigation Chamber concluded – in a manner that may lead to controversy – that the (internal and external) DPOs appointed did not meet the requirements of the GDPR. The deadline for filing an appeal is still running in relation to these decisions, but it is already useful to look at the Litigation Chamber's position on this topic.
In summary, here are the top tips that result from this evolving case law:
- When recruiting a DPO, request evidence of expert knowledge of data protection law of the candidate in question, even when you work with a DPO agency;
- Carry out your own assessment of the candidate, even when you work with a DPO agency;
- If you are uncertain of the (best) candidate's expertise, compare the risk in your case of (i) continuing the search or (ii) hiring him/her and forcing the DPO to improve that expertise in the short/medium term;
- If there is a potential data breach, involve the DPO, but ensure that he/she is not involved in the decision on the risk (and on whether or not to notify the Data Protection Authority);
- Avoid having a DPO who is also head of any given department in your organisation;
- Ensure that there is a clear possibility for the DPO to report to the highest management level, and that this possibility is not limited to a yearly report.
Read on for more detail on the Litigation Chamber's reasoning – and how this might affect your organisation.
1. Preliminary remark: internal DPO or not?
The two main forms of DPO are (i) the internal DPO (an employee or a freelancer, hired directly by the organisation, on a full-time or part-time basis) and (ii) the external DPO (where the organisation has a direct relationship with a DPO agency, for which the "natural person" DPO works as employee or freelancer).
Each form has its own advantages, and based on these decisions, the Litigation Chamber does not appear to prefer one form over the other. The Litigation Chamber criticised the way in which the DPO role was organised in each case it examined – one relating to an internal DPO, another relating to an external DPO.
2. DPO selection
Before appointing a DPO, one must select the DPO carefully. Article 37(5) of the GDPR states that the DPO must be "designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39".
a) Whose responsibility is it to test these qualities?
In one decision, where the relevant organisation was working with a DPO agency, the BDPA's inspection service criticised the organisation for not having tested such qualities among candidates. The organisation responded that the assessment of such professional qualities and expert knowledge of data protection law had been carried out at the level of the DPO agency: the DPO agency had imposed a "written and oral test", which was evaluated by the DPO agency. On this basis, said the organisation, it could reasonably trust the fact that the candidate (the external DPO) had the necessary professional qualities. Moreover, the candidate acted as DPO for other organisations.
The Litigation Chamber rejected this argument, considering that this was an admission that the organisation itself had never assessed whether the person in question had the necessary professional qualities for the role as DPO – and this was an infringement of Article 37(5) GDPR.
In practice: even if you work with an external DPO agency, you should assume nothing and request to have evidence of the candidate's professional qualities (including expert knowledge of data protection law).
b) Expertise regarding GDPR and/or information security?
As mentioned previously, Article 37(5) GDPR requires "expert knowledge of data protection law". Yet in the aforementioned case of the external DPO, the job description for the role of DPO stated as follows: "(extensive) Knowledge of the GDPR is a plus".
The Litigation Chamber considered that this approach did not comply with Article 37(5) GDPR, and stated the following in relation to the expertise needed for the role as DPO:
- "extensive knowledge of the internal IT systems and knowledge of all business processes in the broad sense can represent added value for the carrying out of the function of DPO and can as such be indicated as relevant skills and expertise";
- "[k]nowledge of the legislation on data protection is however a requirement, certainly with a view to the carrying out of the tasks of the DPO as set out under Article 39 GDPR".
In other words, expertise regarding data protection law is a requirement; IT expertise is a plus. It is worthwhile noting, however, that the Litigation Chamber did not require the DPO to have a legal background.
In reality, evaluating expertise regarding the GDPR can prove more difficult than one might expect for a variety of reasons, in particular:
First, from a practical perspective, based on the logic of the position, the DPO would likely have to know the GDPR at least as well as the best-informed person in the organisation; at the same time, there still is no official certification of expertise today. [Those stating they are "certified DPOs" have merely followed an unofficial course; organisations must make their own assessment of the merits of such unofficial certifications.]
Second, there is the question of what counts as expert knowledge. Many purporting themselves to be "GDPR experts" discovered data protection law after the GDPR's adoption in 2016, giving them a maximum of 4 years' experience – given the fact that far fewer were advising on data protection law prior to 2016, setting a minimum of even 5 years' experience would exclude most candidates for the role of DPO immediately.
Third, tests must take national interpretations into account, given that even today supervisory authorities continue to have diverging interpretations on certain points (the DPO role being an example).
In practice: even if you work with a DPO agency, ask in-depth questions so that you can assess the candidate's professional qualities, and record the selected candidate's answers as well as at least the outcome of the assessment of other candidates. Until official certifications exist, though, know that there is no guarantee that your assessment process will be free from criticism.
c) Which candidate to choose?
Still in the same case of the external DPO, the organisation stated that of the various candidates, the person chosen was the "most suitable" one.
However, the Litigation Chamber considered that just because a candidate comes out of a recruitment process as the "most suitable" one, "this does not ipso facto demonstrate that the person is sufficiently suitable".
In other words, if an organisation has several candidates but is unable to find one who does meet the "professional qualities" requirement of the GDPR, the Litigation Chamber seems to be of the opinion that the search for a DPO should continue.
This position appears to be very strict. Not only must the expertise be sufficiently tested, but if it is not properly demonstrated, no DPO can be appointed and the search must continue. Yet if an organisation is required to have a DPO as a result of its very nature or the processing it carries out, not appointing a DPO is in and of itself an infringement of the GDPR.
In practice: if you are not certain of the expertise of your preferred candidate, carry out a risk assessment and decide which is the larger risk – having an inadequate DPO during a certain period (with the possibility of forcing the DPO to improve his/her knowledge of data protection law in the short or medium term), or not having any DPO for a little longer while you continue your search.
3. Tasks of the DPO
a) Extent of involvement in relation to data breach situations
In a case regarding an internal DPO, part of the discussion concerned the involvement of the DPO in the management and assessment of potential personal data breaches.
The BDPA's inspection service criticised the organisation for only informing – and not consulting with – the DPO of the result of the risk assessment regarding potential personal data breaches. The organisation responded that information was sufficient under Article 38(1) GDPR, which states that the DPO must be "involved, properly and in a timely manner, in all issues which relate to the protection of personal data".
The Litigation Chamber refuted this position in part, considering as follows:
- Merely informing the DPO of the decision on the risk assessment and not consulting with him/her beforehand would hollow out the function of the DPO;
- The prior involvement of the DPO promotes compliance with the principle of data protection by design;
- In relation to the risk assessment process, the Litigation Chamber noted that the DPO was in reality involved, in that he/she carried out a separate assessment and provided advice prior to the decision on the risk. In other words, despite the organisation's argument that the DPO did not need to be consulted, he/she was consulted in practice;
- In relation to the result of the risk assessment, the Litigation Chamber noted that business representatives were responsible for the end-decision on the risk and not the DPO, and this was consistent with Articles 38(1) and 39(1)(a) GDPR. In this context, the DPO was merely informed, not consulted, but this was permitted by the GDPR.
The Litigation Chamber concluded that in practice there was no infringement of Article 38(1) GDPR. However, it clearly considers that Article 38(1) GDPR requires the DPO's active involvement in the management of data breaches – not merely information afterwards. It is unclear how strong this position is, as it is based on considerations relating to data protection impact assessments and not on any guidance relating to data breaches.
In practice: If there is a potential data breach, involve the DPO, but ensure that he/she is not involved in the decision on the risk – and in particular in the decision on whether or not to notify a personal data breach.
b) Non-DPO tasks and conflicts of interest
In the same case of the internal DPO, the person in question had several roles in addition to that as DPO: he/she was also responsible for compliance, risk management and internal audit.
The organisation in question stated that it had taken various measures to mitigate the risk of any conflict of interest, and these measures were described in the form of a "DPO Charter". In addition, the organisation contended that the other functions were merely advisory functions, without the power to take any decision in relation to processing activities.
The Litigation Chamber held, however, that the organisation did not demonstrate that the DPO did not carry out any tasks that were incompatible with his/her position as DPO. On the contrary, it stated that "the role of head of a department is […] incompatible with the role of DPO" because the DPO cannot carry out any independent supervision of such a department. In other words, irrespective of the non-DPO tasks of the DPO him/herself, and irrespective of the measures taken by the organisation to limit the risk of any conflict of interest, the issue in the eyes of the Litigation Chamber appears to have been the theoretical possibility of independent verification of the department by the DPO.
In practice: avoid having a DPO who is also head of any given department in your organisation.
4. Position within the organisation
Under Article 38(3) GDPR, the DPO must be able to "directly report to the highest management level of the controller or the processor".
In the aforementioned case of the external DPO, it was unclear whether the DPO in question had the authority to report directly to the highest level outside of a yearly report.
The Litigation Chamber held that this was an infringement of Article 38(3) GDPR, and that the DPO must also be able to carry out his/her advisory or informational tasks vis-à-vis the highest management level on an ad hoc basis.
In practice: ensure that the reporting possibilities for the DPO are clear, and that the highest management level does not only see the DPO once per year for a yearly report.
5. What should you do?
Both of these cases started as investigations into non-DPO issues (a question about the scope of data processing in one case, a data breach in another case), and the investigations grew to encompass the assessment of the role of the DPO. No fine was imposed in the case of the external DPO, but that was likely just because the organisation in question was a public authority, and the Litigation Chamber cannot impose a fine on a public authority in Belgium. In the other case, the fine imposed (50.000 EUR) was the highest fine to date in Belgium.
In other words, just because you have not yet seen any criticism about the role of DPO within your organisation, doesn't mean you are safe.
Rather, check whether your DPO meets the practical requirements highlighted. If these requirements are met, there is a chance you will avoid a fine; if not, be forewarned.