APD/GBA (Belgium) - 141/2021: Difference between revisions

Revision as of 15:03, 16 February 2022

APD/GBA (Belgium) - 141-2021

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 38(6) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	16.12.2021
Fine:	75000 EUR
Parties:	n/a
National Case Number/Name:	141-2021
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	Dutch
Original Source:	Beslissing ten gronde 141/2021 van 16 december 2021 (in NL)
Initial Contributor:	Enzo Marquet

The Belgian DPA fined a bank €75,000 because its DPO held incompatible functions which resulted in a conflict of interest being head of three departments as well resulted in a conflict of interest.

English Summary

Facts

The data subject filed complaint regarding a violation to their right to rectification against a bank. The DPA launched an investigation which over time broadened its scope towards the role of the bank's DPO. The investigation revealed that there might be a conflict of interest since the DPO held a number of other functions, including leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit. The bank argued that the head of these services did not have decision-making power to determine the purposes and means of processing of personal data, but a purely advisory and supervisory role.

Holding

The Belgian DPA refuted the bank's argument, stating that the role was not 'purely advisory and supervisory'. Particularly, the DPA held that the DPO could still determine the means and purposes of processing of personal data. This was further proven by the bank's Record of Processing Activities, which listed a substantial number of categories of personal data which are processed by these departments. Because the DPO held the final responsibility over the referenced departments, a conflict of interest arose, in breach of Article 38(6).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

@@ Line 49: / Line 49: @@
 }}
-The Belgian DPA fined a bank €75.000 because its DPO held incompatible functions. Being head of three departments, as well as DPO resulted in a conflict of interest.
+The Belgian DPA fined a bank €75,000 because its DPO held incompatible functions which resulted in a conflict of interest being head of three departments as well resulted in a conflict of interest.
 == English Summary ==
 === Facts ===
-A data subject had complained about their right to rectification. The DPA launched an investigation which over time broadened its scope towards the role of the DPO at the defendant (which is a bank).
+The data subject filed complaint regarding a violation to their right to rectification against a bank. The DPA launched an investigation which over time broadened its scope towards the role of the bank's DPO. The investigation revealed that there might be a conflict of interest since the DPO held a number of other functions, including leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit. The bank argued that the head of these services did not have decision-making power to determine the purposes and means of processing of personal data, but a purely advisory and supervisory role.
-The DPO held a number of other functions, including supervising/leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit.
-The bank stated that the head of these services does not have decision-making power to determine the purposes and means of operational processing of personal data, but a purely advisory and supervisory role. The organisation of the departments should not be seen as separate operations. The additional functions do not include decision-making power with regards to the purposes and means of the operations, their scope included setting up frameworks and carrying out controls.
 === Holding ===
-The Belgian DPA does not follow the bank's argument and states that even though the function of a role can be 'purely advisory and supervisory', it can still determine the means and purposes of processing of personal data. The DPA finds that the second-line services carried out by departments/units of the bank cannot be performed without determining the purposes and means of specific activities that involve processing of personal data (of the first line).
+The Belgian DPA refuted the bank's argument, stating that the role was not 'purely advisory and supervisory'. Particularly, the DPA held that the DPO could still determine the means and purposes of processing of personal data. This was further proven by the bank's Record of Processing Activities, which listed a substantial number of categories of personal data which are processed by these departments. Because the DPO held the final responsibility over the referenced departments, a conflict of interest arose, in breach of [[Article 38 GDPR#6|Article 38(6)]].
-The DPA holds that the DPO, as the head of the departments of the second-line services, has the power to determine the purposes and means of the processing activities. This is further proven by the bank's Record of Processing Activities, which lists a substantial number of categories of personal data (of the first line) which are processed by the departments/units.
-As the DPO holds the final responsibility over the referenced departments/units, a conflict of interest is created and the bank breaches [[Article 38 GDPR#6|Article 38(6)]].
 == Comment ==