The Belgian Data Protection Authority fines Proximus for DPO’s conflicting functions

June 10, 2020 | Blog

The Litigation Chamber of the Belgian Data Protection Authority recently fined Proximus - a large Belgian telecom provider - for appointing its head of compliance, risk management and internal audit as its DPO. A fine of 50.000 EUR was imposed on Proximus for breaching Article 38(6) of the GDPR. Article 38(6) allows DPO's to ‘fulfil other tasks and duties’. It requires, however, that the organisation ensures that ‘any such tasks and duties do not result in a conflict of interests’.

In line with the Guidelines of the WP29 (now EDPB) on Data Protection Officers, the Litigation Chamber rules that the responsibility for each of the three departments unquestionably implies that the head of department, in this capacity, determines the purposes and means of the processing of personal data within these three departments and is therefore responsible for the data processing processes that fall within the field of compliance, risk management and internal audit.

The absence of conflict of interests is also closely linked to the requirement to act in an independent manner following the WP29 Guidelines. In accordance herewith, the Litigation Chamber points out that, the role of head of a department is not reconcilable with the function of DPO, who must be able to carry out his or her tasks in complete independence. The Litigation Chamber states that the cumulation, by one same natural person, of the function of head of each of the three departments, on one hand, and the function of DPO on the other hand, deprives each of these three departments of any possibility of independent control by the DPO. Furthermore, The Litigation Chamber states that the cumulation of these functions may have the effect that secrecy and confidentiality towards staff members cannot be sufficiently guaranteed, in accordance with article 38(5) of the GDPR.

Sign up for our newsletters