The Belgian Data Protection Authority fines a Data Controller EUR 50,000 for appointing a DPO who was also its Head of Compliance, Audit and Risk – a warning for Liechtenstein companies.
The GDPR has now been directly applicable in Liechtenstein for almost two years. Since it came into force, Liechtenstein has implemented its Data Protection Act ("DSG") granting broad powers to the Data Protection Authority ("DSS") such as the right to access the premises of the data controllers (see Art 17 DSG) and the right to impose fines (see Art 40 DSG).
Everyday practice shows that the DSS is prepared to use the powers conferred by GDPR and DSG to ensure that data controllers respect the basic principles of GDPR. After an initial phase, in which the DSS focused on advising data controllers regarding the implementation of GDPR, in late 2019 the authority started to investigate by sending out questionnaires to various data controllers.
In this context, a recent decision of the Belgian Data Protection Authority ("DPA") (see decision dated 28 April 2020; AH-2019-0013) is of particular interest to Liechtenstein companies. Following a data breach notification by a company (apparently, invoices had been sent out to the wrong addresses), the Belgian DPA began to investigate a data controller. The investigation (probably to the surprise of the data controller) did not focus on the data breach only, but also assessed the position of the company's Data Protection Officer ("DPO").
At the end of the investigation, the Belgian DPA imposed a EUR 50,000 fine upon the data controller, because the company failed to ensure that the DPO was free from any conflict of interest. In particular, the Belgian DPA criticized that
the DPO had an undue influence on data processing activities, since as the Head of Compliance, Risk and Audit he was responsible for decision making on data processing in many critical activities;
employees should able to trust the DPO; if the DPO (for example as the Head of Audit) has the power to dismiss employees, the confidence of the employees is undermined;
the controller failed to establish guidelines within the company to ensure the independency of the DPO.
In the past, many Liechtenstein companies considered – mostly for efficiency reasons – appointing the Head of Compliance, Audit and Risk as DPO. The DSS has always expressed its concerns with regard to the admissibility of this accumulation of responsibilities. With reference to the Guidelines 243 (rev 01) of the Article 29 Data Protection Working Party, the DSS (see www.datenschutzstelle.li/datenschutz/themen-z/datenschutzbeauftragter) states that "A DPO is not allowed to assume any activity within the organization that leads to a decision on the purposes and means of data processing."
Now, after the decision of the Belgian DPA, it is clear that the appointment of the Head of Compliance, Audit and Risk as DPO should be avoided, since this may lead to substantial fines. Instead, the appointment of an external DPO should be considered, which is often the easiest way to avoid any conflict of interest. Gasser Partner already successfully provides these services for a number of clients. If – for whatever reason – the appointment of an external DPO is not possible, it has to be ensured by other means (through guidelines etc.) that the internal DPO may fulfill its role independently, without any conflict of interest and with the confidence of the employees.
There is another important conclusion one can draw from this decision of the Belgian DPA. Data breaches are – under certain circumstances and within a short period – to be notified to the Data Protection Authority (and to the data subject). However, in order to avoid unpleasant surprises, the notification should be prepared carefully, ideally with the support of a data protection expert.
For further information, please contact René Saurer