APD/GBA (Belgium) - 141/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA (Belgium) |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=141-2021 |...") |
(→Facts) |
||
Line 54: | Line 54: | ||
=== Facts === | === Facts === | ||
A data subject had complained about their right to rectification. The DPA launched an investigation which over time broadened | A data subject had complained about their right to rectification. The DPA launched an investigation which over time broadened its scope towards the role of the DPO at the defendant (which is a bank). | ||
The DPO | The DPO held a number of other functions, including supervising/leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit. | ||
The bank stated that the head of these services does not have decision-making power to determine the purposes and means of operational processing of personal data, but a purely advisory and supervisory role. The organisation of the departments should not be seen as separate operations. The additional functions do not include decision-making power with regards to the purposes and means of the operations, their scope included setting up frameworks and carrying out controls. | |||
=== Holding === | === Holding === |
Revision as of 13:30, 14 February 2022
APD/GBA (Belgium) - 141-2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 38(6) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 16.12.2021 |
Fine: | 75000 EUR |
Parties: | n/a |
National Case Number/Name: | 141-2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 141/2021 van 16 december 2021 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA fined a bank €75.000 because its DPO held incompatible functions. Being head of three departments, as well as DPO resulted in a conflict of interest.
English Summary
Facts
A data subject had complained about their right to rectification. The DPA launched an investigation which over time broadened its scope towards the role of the DPO at the defendant (which is a bank).
The DPO held a number of other functions, including supervising/leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit.
The bank stated that the head of these services does not have decision-making power to determine the purposes and means of operational processing of personal data, but a purely advisory and supervisory role. The organisation of the departments should not be seen as separate operations. The additional functions do not include decision-making power with regards to the purposes and means of the operations, their scope included setting up frameworks and carrying out controls.
Holding
The Belgian DPA does not follow the bank's argument and states that even though the function of a role can be 'purely advisory and supervisory', it can still determine the means and purposes of processing of personal data. The DPA finds that the second-line services carried out by departments/units of the bank cannot be performed without determining the purposes and means of specific activities that involve processing of personal data (of the first line). This means that DPO, as the head of the departments of the second-line services, has the power to determine the purposes and means of the processing activities. This is further proven by the bank's Record of Processing Activities, which lists a substantial number of categories of personal data (of the first line) which are processed by the departments/units.
As the DPO holds the final responsibility over the referenced departments/units, a conflict of interest is created and the bank breaches Article 38(6).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.