Belgian DPA emphasises the need for an independent DPO… with a fine of 50.000 EUR!

A decision of 28 April 2020 of the Belgian Data Protection Authority sheds light on the GDPR regulations concerning data protection officers (DPO).

As a result of a data breach, a(n) (unnamed) company was audited by the Belgian data protection authority (DPA) and was found to be in breach with GDPR provisions on DPOs.

More in particular, the DPA took issue with a data protection officer (DPO) who simultaneously held a position as director audit, risk and compliance within the same organisation.

According to the DPA, referring also to the relevant guidance documents of the European data protection body (WP 29, now European Data Protection Board), a DPO cannot simultaneously hold a position within an organisation where he or she must determine the purposes and means of the data processing activities and which should essentially be monitored by the DPO. The DPA considers that a role of department head of this kind is not compatible with that of a DPO, the latter being required to exercise its tasks in full independence.

Result of this breach is an administrative fine of 50.000 EUR imposed on the company. To motivate this fine, the DPA took into account the size of the company, the fact that it processes vast amounts of personal data and the duration of the breach. These (explicit) considerations seem to indicate that the DPA’s decision takes into account some of the arguments that were raised by the Belgian Market Court, who had ruled against a sanctioning decision of the DPA only a few months ago, stating that the DPA had insufficiently motivated the fine imposed.

This decision shows (again) that sanctioning for GDPR violations continues to increase in Belgium, both in terms of periodicity and amount of fines imposed!

For more information, please contact Antoon Dierick (Antoon.dierick@mertens-depaepe.be).