APD/GBA (Belgium) - 141/2021

From GDPRhub
APD/GBA (Belgium) - 141-2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 38(6) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 16.12.2021
Fine: 75000 EUR
Parties: n/a
National Case Number/Name: 141-2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Beslissing ten gronde 141/2021 van 16 december 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA fined a bank €75.000 because its DPO held incompatible functions. Being head of three departments, as well as DPO resulted in a conflict of interest.

English Summary

Facts

A data subject had complained about their right to rectification. The DPA launched an investigation which over time broadened its scope towards the role of the DPO at the defendant (which is a bank).

The DPO held a number of other functions, including supervising/leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit.

The bank stated that the head of these services does not have decision-making power to determine the purposes and means of operational processing of personal data, but a purely advisory and supervisory role. The organisation of the departments should not be seen as separate operations. The additional functions do not include decision-making power with regards to the purposes and means of the operations, their scope included setting up frameworks and carrying out controls.

Holding

The Belgian DPA does not follow the bank's argument and states that even though the function of a role can be 'purely advisory and supervisory', it can still determine the means and purposes of processing of personal data. The DPA finds that the second-line services carried out by departments/units of the bank cannot be performed without determining the purposes and means of specific activities that involve processing of personal data (of the first line). This means that DPO, as the head of the departments of the second-line services, has the power to determine the purposes and means of the processing activities. This is further proven by the bank's Record of Processing Activities, which lists a substantial number of categories of personal data (of the first line) which are processed by the departments/units.

As the DPO holds the final responsibility over the referenced departments/units, a conflict of interest is created and the bank breaches Article 38(6).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.