APD/GBA - 18/2020
|APD/GBA - 18/2020|
|Relevant Law:||Article 5 GDPR|
Article 31 GDPR
Article 36 GDPR
Article 38(1) GDPR
Article 38(6) GDPR
|National Case Number/Name:||18/2020|
|European Case Law Identifier:||n/a|
|Original Source:||APD/GBA (in NL)|
The Litigation Chamber of the Belgian DPA imposed a €50,000 fine on a company for non-compliance with the requirements relating to the appointment and function of a DPO under the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Following the notification of a data breach, the Belgian DPA started an investigation into the practices of the company regarding its notifications and data protection program. The data breach was not notified to the DPA but the DPA decided ex officio to start an investigation on the basis of a note prepared by the Complaint department within the DPA.
Dispute[edit | edit source]
On the procedure, the defendant considered that the inspection report should be rejected on the grounds that it was based on the findings made by complaint department, which was not competent to conduct such inspection.
On the merits of the case, the decision analyses the three grounds of alleged violations found by the Inspectorate:
- failure to comply with the duty to cooperate (Article 31 GDPR);
- failure to comply with both the accountability obligation (Article 5.2 of the GDPR) and the duty to cooperate (Article 31 of the GDPR) with regard to the application of the risk-based approach to the security of personal data (Article 36 of the GDPR);
- the failure to comply with the defendant's obligation to avoid a conflict of interest on the part of the Data Protection Officer (Article 38.6 GDPR) and the insufficient involvement of the Data Protection Officer (Article 38.1 GDPR).
Holding[edit | edit source]
On the procedural aspects of the case, the litigation chamber noted that the report was asked by the Management Board of the DPA and then sent to the defendant before the litigation chamber adopted its decision. There was therefore no violation of the applicable procedure.
On the merits of the case:
- The Disputes Chamber assessed the Inspectorate's findings in the light of the defendant's duty to cooperate and found that the Inspectorate had not sufficiently demonstrated that the defendant had not attempted to provide comprehensive and detailed answers to the questions raised by means of letters of reply. In addition, the defendant stated on several occasions that it was prepared to enter into additional consultations, which did not make it possible to establish that it did not comply with the obligation to cooperate with the supervisory authority. The Disputes Chamber is therefore of the opinion that no breach of Article 31 of the AVG can be established.
- The Litigation Chamber stresses that, contrary to the defendant's contention, there is indeed an obligation on the part of the data controller to document any data leakage, whether presenting a risk or not, in order to be able to provide information to the DPA. In view of this clarification provided at the hearing, as well as the fact that it appears from the documents in the file that the defendant, despite contesting the litigation chamber's power to request detailed information, accepted the request to clarify the assessment process in order to allow the chamber to examine how the defendant reached a certain conclusion on risk in a concrete file, in particular the incident at stake, the litigation Chamber notes that the defendant has explained its methodology and procedure on infringements and the assessment of risk. The litigation chamber is therefore of the opinion that no breach of Article 5.2 of the GDPR, Article 24.1 of the GDPR and Article 33 of the GDPR can be established.
- As regards the involvement of the Data Protection Officer, according to the defendant for the purposes of Article 38.1 GDPR, it would be sufficient for the DPO to be informed, as part of involvement, Since this provision does not impose the specific obligation to be consulted, contrary to what is stated in the inspection report. The Disputes Chamber is of the opinion that the defendant's position is not in accordance with the intention of the legislator and does not constitute a meaningful interpretation of Article 38.1 GDPR, which stipulates that the DPO shall be duly and timely involved in all matters relating to the protection of personal data'. By reducing the involvement of the DPO to merely (ex post) informing him of a decision, his function is eroded. The Litigation Chamber decides that, on the one hand, the defendant misinterprets the position of the Data Protection Officer, but that, on the other hand, it is plausible that, in practice, the Data Protection Officer is sufficiently involved. Therefore, no breach of Article 38.1 AVG can be established. The Litigation Chamber decides that, on the one hand, the defendant misinterprets the position of the Data Protection Officer, but that, on the other hand, it is plausible that, in practice, the Data Protection Officer is sufficiently involved. Therefore, no breach of Article 38.1 AVG can be established.
- As regards the Inspectorate's finding that there is a conflict of interest under the Data Protection Officer considering that he is also responsible for compliance, risk management and internal audit. This responsibility for each of these three departments clearly implies that that person in that capacity determines the purposes and means of the processing of personal data within these three departments and is thus responsible for the data processing processes falling under the domain of compliance, risk management and internal audit as identified in the inspection report. Moreover, cumulating of these functions may lead to an insufficient guarantee of secrecy and confidentiality vis-à-vis staff members in accordance with Article 38.5 of the GDPR. Consequently, the Disputes Chamber is of the opinion that the infringement of Article 38.6 AVG has been proven.
- Considering the above, the litigation chamber ordered the company to take measures to resolve the issue within a period of three months and imposes an administrative fine of €50,000.
The fine is appropriate considering the following:
- The concept of a DPO is not new and has existed in various Member States and organizations for many years;
- The company should have been prepared for the introduction of the DPO role, in particular, considering that its core business activity involves processing of personal data on a large scale, including data of a sensitive nature. The infringement could have an impact on millions of individual.
- The duration of the infringement, which started in May 2018 and lasted until February 2020.
Comment[edit | edit source]
Analyses of the judgment:
- You may need a new DPO, according to the Belgian Data Protection Authority
- Belgium – Can a “head of” act as a data protection officer?
Further Resources[edit | edit source]
- Fine for conflict of interest between the function of DPO and Director of risk, compliance and internal audit, article published on www.mon-dpo-externe.com by Florent Gastaud, June 2, 2020.
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Decision on the substance 18/2020 of 28 April 2020 File number : AH-2019-0013 Subject: Inspection report on responsibility in the event of data leaks and position of the data protection officer The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter AVG; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG; Having regard to the internal rules of procedure as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; has taken the following decision regarding: Y, hereinafter referred to as 'the defendant 1. Facts and procedure A. Investigation by the Inspectorate 1. On 11 July 2019, the Management Committee of the Data Protection Authority (hereinafter the GBA) decided to refer a case to the Inspectorate of the GBA on the basis of Article 63, 1° WOG. 2. After all, after the file had been processed by the First Line Service, there turned out to be three serious points that stood in the way of correct compliance with the AVG: • failure to comply with the duty to cooperate (Article 31 AVG); • failure to comply with both the accountability obligation (Article 5.2 of the AVG) and the duty to cooperate (Article 31 of the AVG) with regard to the application of the risk-based approach to the security of personal data (Article 36 of the AVG); • the failure to comply with the defendant's obligation to avoid a conflict of interest on the part of the Data Protection Officer (Article 38.6 AVG) and the insufficient involvement of the Data Protection Officer (Article 38.1 AVG). 3. The reason for the abovementioned referral was a concrete data leak at the defendant's premises. This leak was also referred to as the W incident. This data leak took place in response to a number of invitations sent by the defendant to, among others, the self-employed and liberal professionals to switch from a paper to an electronic invoice. Due to an error in the selection of e-mail addresses, a number of the invitations linked to self-employed persons (and subsequently also the electronic invoice) were sent to secondary e-mail addresses that were linked to a customer in the defendant's databases, but may not have a direct link with the customer concerned. Such secondary contact persons are administrative or technical contact persons for the customer. 4. The communication between the GBA First-line Service and the respondent concerning this data leak gave rise to a note submitted by the First-line Service to the Executive Committee proposing that the existence of serious indications assess and then submit the file to the Inspectorate in order to have the handling of data leaks investigated by the defendant (article 63, 1° WOG). 5. The Inspectorate submitted its report dated 6 September 2019 to the Disputes Chamber on the basis of Section 91, §2 of the WOG, as a result of which the Disputes Chamber was seized on the basis of Section 92, 3° of the WOG. B. Procedure before the Dispute Chamber 6. At a hearing on 24 September 2019, the Disputes Chamber decided on the basis of Article 95, §1, 1° WOG and Article 98 WOG that the file was ready to be dealt with on the merits. 7. On the same day, the defendant was informed by registered mail of this decision, as well as of the inspection report and the inventory of the documents in the file transmitted by the Inspectorate to the Chamber of Disputes. At the same time, the defendant was informed of the provisions as mentioned in article 98 of the WOG and the defendant was informed of the time limits to submit his defence under article 99 of the WOG. The deadline for receiving the defendant's response was set at 28 October 2019. 8. On 29 October 2019, the Chamber of Disputes received the conclusion of the defendant's response. This conclusion contains, in addition to the substantive defence on the three findings of the Inspectorate concerning the duty of cooperation (1), the accountability and responsibility of the controller (2) and the position of the Data Protection Officer (3), also a procedural defence in which the defendant argues that the division of powers between the First Level Service and the Inspectorate, as defined by the legislator, was not respected in this case, which would lead to the incompetence of the Disputes Chamber and to the inadmissibility of the report of the Inspectorate and the internal note of the First Level Service. 9. On 14 February 2020, the file will be resumed and the hearing will take place. The defendant will be heard and will have the opportunity to present his arguments. 10. The case is then considered by the Disputes Chamber. 11. On 18 February 2020, pursuant to Article 54 of the Internal Rules of Procedure of the Data Protection Authority, a copy of the minutes of the hearing shall be transmitted to the respondent. 12. The defendant is hereby given the opportunity to have any observations he may have on the matter added as an annex to the minutes, without this constituting a reopening of the proceedings. 13. On 21 February 2020, the Chamber of Disputes receives from the defendant some observations regarding the minutes, which it decides to include in its deliberations and decision. 14. On 26 February 2020, as requested at the hearing, the defendant provides the correct company number and the annual turnover of the last three financial years. These amounts: for 2017: €4,058,643,958 for 2018: €4,009,935,363 for 2019: €3,886,699,793 15. On 3 April 2020, the Disputes Chamber notified the defendant of its intention to impose an administrative fine, as well as the amount thereof, in order to enable the defendant to defend himself before the sanction is effectively imposed and enforced. 16. On 24 April 2020, the Disputes Chamber received the defendant's response to the intention to impose an administrative fine, as well as the amount thereof. The defendant disagrees with the imposition of a fine, or the intended amount of the fine, and refers to its conclusions. However, he does not put forward any (new) arguments in support of this claim. Therefore, the defendant's reaction does not give cause for the Disputes Chamber to amend the intention to impose an administrative fine, nor does it change the amount of the fine as intended. 2. Legal basis Article 38.6 AVG 6. The Data Protection Officer may perform other tasks and duties. The controller or the processor shall ensure that these tasks or duties do not give rise to a conflict of interests. 3. Reason (a) Procedure 17. As a first ground of defence, the defendant argues that the proceedings were flawed. The defendant argues that the First Line Service has gone further than the mere handling of the notification file, to such an extent that nothing of the Incident W Incident can be found in the objections that form the basis of the proceedings before the Dispute Settlement Chamber. According to the defendant, the written inquiry, more specifically the scope of the inquiry and the number of additional questions put to the defendant, shows that the First Line Service conducted an inquiry, which is an investigative power of the Inspection Service in accordance with Article 66, §1, 3° WOG. 18. Also, the First Line Service would have used the investigative modality to identify persons, which is a competence vested in the Inspection Service (Article 66, §1, 1° WOG). The defendant argues that his argument - namely that the investigation had already been carried out at the level of the First Line Service and therefore before the file reached the Inspectorate - is confirmed by the fact that the report of the Inspectorate for the "investigative measures in connection with the investigation" only refers to the refers to "going through the file received through the management committee". According to the defendant, the Inspectorate therefore bases its report solely on an investigation carried out by the First Line Service. 19. During the hearing, the defendant added that the internal note from the First Line Service, which was addressed to the Management Committee and therefore at the time when the file had not yet been submitted to the Inspectorate, had already been sent with the Inspectorate's contact details (email@example.com). The carrying out of investigative acts by a service that is legally not allowed to carry them out is labelled by the defendant as fishing expedition. 20. Therefore, according to the defendant, the First-line Service exceeded its competence and did not comply with its legal powers, in particular its power to initiate a mediation procedure (Article 22, 2° WOG). The defendant argues that repeated requests for consultation on his part were not complied with by the First line service. 21. Moreover, according to the defendant, the Inspectorate also failed to respect its powers because the Inspectorate relied exclusively on the file of the First Line Service for the preparation of the report. This leads the defendant to state that the Inspectorate did not carry out an investigation because none of the investigative measures in Article 66 § 1 WOG were taken. The defendant argues that the Inspectorate was thus not competent to draw up its report as it could not lawfully have completed its investigation due to a lack of any investigative measure. 22. The defendant argues that the Chamber of Disputes was not validly seized and should declare itself incompetent because - The Inspectorate did not investigate; - The Inspectorate was not authorised to conclude its investigation; - The Chamber of Disputes could only be seized after a lawful conclusion of the investigation. 23. In the alternative, the defendant submits that the Inspectorate's report and the internal note of the First Line Service are inadmissible on the ground that they infringe fundamental principles of law, in particular the principle of due process and the right of defence, as well as the general principles of sound administration, in particular the principles of diligence and impartiality. 24. At the hearing, the defendant does not deny that any investigation was carried out, but he claims that it was done in the wrong way. The defendant argues that the Chamber of Disputes has no jurisdiction when the elements gathered have been obtained in a legally incorrect manner. Therefore, according to the defendant, the documents of the First Level Service should be excluded from the investigation and he stresses that the First Level Service should act within its powers as laid down in article 22 WOG. Compliance with this is essential for the defendant in order to ensure legal certainty. The defendant explicitly states that it is important for a company to be able to enter into a dialogue with a department within the GBA without immediately conducting an investigation, in such a way that there is the possibility of cooperation, consultation and mediation. 25. The Litigation Chamber stresses the need to ensure impartial and fair treatment throughout the process. The problem raised by the defendant relates to the preliminary stage, but the rights of defence have not been violated, since the defendant has had the opportunity to present his arguments in full by means of his conclusion of reply and, in addition, he has been able to fully exercise his right to be heard during the hearing of the Chamber of Disputes. 26. The Disputes Chamber can only establish that, in the case where the GBA can act ex officio, the procedure provided for by law has been respected, i.e. that if the Management Committee establishes serious indications of the existence of a practice that may give rise to a breach of the fundamental principles of the protection of personal data, within the framework of the WOG and of the laws containing provisions on the protection of the processing of personal data, the referral may be made to the Inspection Service (Article 63, 1° WOG). In application of this provision, the decision of the Management Committee taken on 11 July 2019 referred the case to the Inspectorate on 12 August 2019, without infringing a procedural rule which would be likely to harm the interests of the defendant or violate his rights. The fundamental procedural guarantee consisting in ensuring the right to a fair hearing has been respected by the fact that the inspection report was transmitted by the Dispute Chamber to the defendant and he had the opportunity to respond to each of the Inspectorate's findings contained therein. 27. The Disputes Chamber is therefore of the opinion that the present notification of a possible personal data breach has been dealt with in compliance with all fundamental principles of law and general principles of good administration. (b) Cooperation with the supervisory authority (Article 31 ACC) 28. The Inspectorate makes the following observation in its report regarding the duty to cooperate: "The defendant has used various means to make mandatory cooperation with the GBA more difficult. Those means are described as the "Ten D's" on the web pages http://www.aalep.eu/recognizing-youropposition-tactics-and-responding-them and https://ctb.ku.edu/en/table-of-contents/advocacy/ respond-to- counterattacks/ overview-of-opposition-tactics/main. An assessment of the contacts with the defendant reveals that the defendant applied 5 out of 10 techniques. According to the Inspectorate, it is up to the Disputes Chamber to determine whether the application of the aforementioned techniques constitutes a breach of the duty to cooperate or can be regarded as a normal exercise of the defendant's right of defence on the basis of the applicable general principles of law'. 29. With regard to those findings of the Inspectorate concerning cooperation, the defendant first of all submits that, in view of the fact that the First Line Service went beyond its competence and therefore did not fulfil the tasks assigned to it, it did not have to cooperate and did not have to answer the questions of the First Line Service. Second, the defendant contests the legal value of the web pages on which the GBA relies and argues that it did cooperate and did not apply any of the five 'Ten D's' techniques mentioned by the Inspectorate. The defendant argues that the requirement of cooperation is in any event limited by the rights of defence and the right to non-self-incrimination, which apply in administrative proceedings that may give rise to the imposition of administrative fines. The far-reaching questions would have violated the rights of defence and the prohibition of selfincrimination. 30. The Disputes Chamber assessed the Inspectorate's findings in the light of the defendant's duty to cooperate and found that the Inspectorate had not sufficiently demonstrated that the defendant had not attempted to provide comprehensive and detailed answers to the questions raised by means of letters of reply. In addition, the defendant stated on several occasions that it was prepared to enter into additional consultations, which did not make it possible to establish that it did not comply with the obligation to cooperate with the supervisory authority. 31. The Disputes Chamber is therefore of the opinion that no breach of Article 31 of the AVG can be established. This judgment is based on factual findings, which means that it is not necessary in this case to give an opinion in principle on the scope of the duty to cooperate. (c) Accountability (Article 5.2 of the AVG and Article 24(1) of the AVG) for the application of the risk assessment when notifying a personal data breach (Article 33 of the AVG) 32. The inspection report shall state the following in respect of this serious designation by the Executive Committee: "The defendant's risk assessment when reporting personal data breaches was systematically 'low' or 'negligible' over the past year. How the defendant's team (consisting of representatives of the business) arrived at this result is, despite the questions raised by the GBA, not clear in concrete terms. As can be seen from the defendant's letter of 12/06/2019, he is not prepared to explain further because he would not be obliged to do so under the AVG. Moreover, it appears from the 'RACI matrix' mentioned in the aforementioned letter that the DPO of the defendant does not participate in the discussions on the risk assessment in this respect as he is only 'informed' instead of 'consulted'. Who decides what in the defendant's case in a concrete file is not communicated to the GBA and there is no indication that the defendant wishes to change that practice. The use of vague descriptions of the assessment process and denials makes it impossible for the GBA to verify how the defendant came to a particular conclusion on the risk in a concrete dossier. The above course of action is contrary to the accountability (Article 5(2) AVG) and responsibility (Article 24(1) AVG) of the defendant as regards the application of the risk-based approach to the security of personal data (Article 32 AVG)'. 33. The defendant notes that the inspection report only explicitly refers to the risk-based approach in personal data security (Article 32 AVG), whereas the content of the report shows that it concerns the risk assessment in personal data breach notification, which concerns Articles 33 and 34 AVG. This would make it impossible for the defendant to defend himself properly with consequences for the decision of the Chamber of Disputes from the perspective of fundamental principles of law and general principles of good administration. 34. On this point, the Disputes Chamber rules that the defendant's conclusion, apart from this finding of the defendant regarding the applicable articles of law, does not contain any element showing that he is even defending the risk-based approach to the security of personal data (Article 32 of the AVG). The entire defence relates to the risk-based approach in the notification of personal data breaches (Articles 33 and 34 AVG). It is not apparent from any element that the defendant had any doubts about the articles which formed the basis of the Inspectorate's adoption, such that it should be decided on that basis that fundamental principles of law and general principles of good administration were complied with. This is explained by the fact that all the documents in the file relate to the risk assessment in the notification of personal data breaches. The inspection report also mentions at the beginning of the finding that it is the personal data breach notification risk assessment and it is clear from the context of the report that it is only about that. 35. On the substance, the defendant argues that there is no legal obligation to submit a detailed verification possibility to the GBA. However, information on the methodology for the risk analysis and the procedure relating to this analysis and the decision-making was provided to the GBA. Notwithstanding the contestation of the competence of the GBA, the defendant stressed that information was provided, indicating that he wanted to enter into a dialogue concerning the assessment of the risks. The defendant also addresses the Inspectorate's claim that the use of vague descriptions of the assessment process and denials makes it impossible for the GBA to verify how the defendant came to a certain conclusion in a concrete file. 36. In its conclusion, the defendant refers to the relevant documents that would invalidate the Inspectorate's assertion and which would have enabled the GBA to ascertain how the defendant had arrived at a certain conclusion about the risk in a concrete file. The defendant concluded that there was no breach of accountability, since Article 5.2 AVG would only relate to the principles mentioned in Article 5.1 AVG and not to the rules concerning the consequences of a breach of personal data. 37. The Litigation Chamber stresses that, contrary to the defendant's contention, there is indeed an obligation on the part of the data controller to document any data leakage, whether risky or not, in order to be able to provide information to the GBA. Moreover, also contrary to the defendant's contention, Article 5.2 AVG is not limited to the principles listed in Article 5.1 AVG, but Article 5.2 AVG does cover the other provisions of the AVG, including Article 33 AVG. This results from the close connection between Article 5.2 of the AVG on the one hand and the obligations for the controller arising from Articles 24 et seq. of the AVG on the other hand. 38. For this purpose, the Litigation Chamber refers to the Guidelines on Notification of Personal Data Breaches under Regulation 2016/679 of the Article 29 Data Protection Working Party which states the following: "Regardless of whether a breach has to be notified to the supervisory authority, the controller shall document all breaches, as explained in Article 33(5): The controller shall document all personal data breaches, including the facts surrounding the personal data breach, its consequences and the remedial action taken. That documentation shall enable the supervisory authority to monitor compliance with this Article. This is linked to the AVG's accountability principle set out in Article 5(2). The purpose of recording both non-notifiable and notifiable infringements also relates to the obligations of the controller under Article 24. The supervisory authority may request access to these records. Processing controllers are therefore encouraged to set up an internal register of breaches, whether or not they are subject to a reporting obligation. Although it is up to the controller to determine the method and structure to be used in documenting an infringement, there are important elements to be included in all cases in terms of information to be recorded. As required by Article 33(5), the controller should record details of the breach, including its causes, what happened and the personal data involved. The controller should also record the consequences of the breach and the remedial action taken. The AVG does not specify how long this documentation should be kept. If these records contain personal data, it is up to the data controller to determine the appropriate retention period in accordance with the principles for the processing of personal data and to comply with the legal basis for the processing. He should keep the documentation in accordance with Article 33(5) to the extent that the supervisory authority can request the controller to provide evidence of compliance with that Article or, more generally, with the principle of accountability. If the recorded data do not contain any personal data, the principle of storage limitation contained in the AVG will obviously not apply. In addition to these details, the WP29 recommends that the data controller should also document his reasons for decisions taken following an infringement. In particular, where an infringement has not been reported, the justification for that decision should be documented. The justification should include the reasons why the controller considers that the breach is not likely to pose a risk to the rights and freedoms of natural persons. If the controller considers that one of the conditions laid down in Article 34(3) is fulfilled, it should be able to provide conclusive evidence that this is the case. Where the controller does not report a breach to the supervisory authority but postpones the reporting, he should be able to justify the delay; related documentation could help to demonstrate that the delay is justified and not excessive. If the controller communicates a breach to the persons affected, he should be transparent about the breach and communicate effectively and in a timely manner. Consequently, it would help the controller to demonstrate compliance with the principle of accountability and compliance by keeping evidence of that communication. In order to support compliance with Articles 33 and 34, it would be useful for both controllers and processors to have a documented notification procedure setting out the procedure to be followed when a breach has been identified, including how to contain, manage and remedy the incident, assess the risk and report the breach. In order to demonstrate compliance with the AVG, it may also be useful in this context to demonstrate that employees have been informed of the existence of such procedures and mechanisms and that they know how to react to infringements. Note that failure to properly document an infringement may result in the supervisory authority exercising its powers under Article 58 and/or imposing an administrative fine in accordance with Article 83'. [underscores by Dispute Chamber] 39. In the light of the above guidelines, the Litigation Chamber asked the defendant during the hearing to what extent data leaks were documented by him. 40. The respondent indicated that all known leaks are documented and the loyalty and professionalism of the individual employee is invoked to escalate a possible data leak through the available tool within the company. The respondent stated that it has the necessary policies and training in place to train its employees on how to report data related incidents. 41. In view of this clarification provided at the hearing, as well as the fact that it appears from the documents in the file that the defendant, despite contesting the GBA's power to request detailed information, accepted the request to clarify the assessment process in order to allow the GBA to examine how the defendant reached a certain conclusion on risk in a concrete file, in particular the W Incident, the Litigation Chamber should decide that the defendant has explained its methodology and procedure on infringements and the assessment of risk. 42. The Disputes Chamber is therefore of the opinion that no breach of Article 5.2 of the AVG, Article 24.1 of the AVG and Article 33 of the AVG can be established. (d) Position of the Data Protection Officer (Article 38 AVG) 43. The Inspectorate's report makes the following observations on the position of the Data Protection Officer: In addition to that function, the defendant's Data Protection Officer also fulfils the function of Director of Audit, Risk and Compliance at the defendant's premises. This file shows that the DPO is not in a position sufficiently free from a conflict of interest (as imposed by Article 38(6) AVG) and is not sufficiently involved in discussions on personal data breaches (as imposed by Article 38(1) AVG). Insufficient involvement of the Data Protection Officer: • The data protection officer of the defendant shall only be informed of the outcome of the risk assessment. In this respect, we refer to the letter of 12/06/2019 in which the RACI matrix under point 184.108.40.206 indicates that its DPO is only 'informed' and not 'consulted'. However, Article 38(1) AVG requires the DPO to be duly and timely involved in all matters related to the protection of personal data. • The fields 'DPO's advice' were until recently systematically not filled in by the defendant. It appears from the explanations in section 220.127.116.11 of the defendant's letter of 12/06/2019 (document 13) that the discussion about the risk belongs to the 'business' (which also appears from the RACI matrix mentioned above) and that, until recently, the opinion of its DPO was not included in the defendant's model form ('Personal Data Breach Investigation Report'). Conflict of interest of the Data Protection Officer • Conflicting tasks. The defendant states in his letters of 03/04/2019 and of 12/06/2019 that his Data Protection Officer only has an advisory role and cannot take decisions on the purposes and means of processing, which is also mentioned in the [Working Party's Guidelines for Data Protection Officers (DPO)]. However, the existence of a conflict of interest is not limited to cases where a person determines the purposes and means of the processing. Conflicts of interest must always be assessed on a case-by-case basis. The aforementioned letter from the Respondent shows that its DPO is doing more than advising the Respondent internally as that person is performing conflicting tasks within Y (the Respondent) that entail significant operational responsibility for data processing processes falling under the domain of audit, risk and compliance. • Pragmatic approach in Germany and in legal doctrine, which [...] refer to criteria such as (1) the existence or absence of self-monitoring by a leading function holder within the company, (2) the existence or absence of internal rules on conflicts of interest, and (3) bearing a significant operational responsibility with an impact on personal data, [...]. • Until recently, the defendant did not have a policy to prevent conflicts of interest. Only after registered letters from the GBA of 04/03/2019 and 16/05/2019 questioning the position of the Data Protection Officer, an undated document 'Y (defendant) DPO Charter' was delivered via the defendant's letter of 12/06/2019, still to be put on the agenda of the Audit and Compliance Committee in July 2019 (as mentioned on page 6 of the defendant's aforementioned letter). The drafting of such a document does not imply that the independence of the DPO is sufficiently demonstrated. 44. As regards the involvement of the Data Protection Officer, the defence stresses that the Inspectorate's determination is based on a legal and a factual misinterpretation. 45. According to the defendant, as set out in its conclusion, for the purposes of Article 38.1 AVG it would be sufficient for the DPO to be informed, as part of involvement, but this provision does not impose the specific obligation to be consulted, contrary to what is stated in the inspection report. 46. The Disputes Chamber is of the opinion that the defendant's position is not in accordance with the ratio legis and does not constitute a meaningful interpretation of Article 38.1 AVG, which stipulates that the officer 'shall be duly and timely involved in all matters relating to the protection of personal data'. By reducing the involvement of the DPO to merely (ex post) informing him of a decision, his function is eroded. 47. In this context, the Dispute Settlement Chamber refers in particular to the Working Party's Guidelines for Data Protection Officers (DPOs), which underline the crucial importance of the DPO being involved as early as possible in all data protection related matters. Ensuring that the DPO is informed and, even more importantly, consulted from the outset will enable compliance with the General Data Protection Regulation. 48. Moreover, this promotes compliance with a data protection approach by design, as provided for in Article 25 of the AVG, which should therefore become the standard procedure within the management of the organisation. 49. The Disputes Chamber finds that the defendant has misinterpreted Article 38.1 AVG. However, it has been sufficiently demonstrated to the Disputes Chamber that, as far as the risk assessment process is concerned, in practice the data protection officer is involved and carries out an independent analysis of the privacy risk himself, prior to the final decision on the risk, by providing advice and his assistance as adviser. 50. On the outcome of the risk assessment, that a final decision has been taken by the representatives within the team or department responsible for the services or clients affected, the Data Protection Officer is only informed, not consulted. This corresponds to Article 38.1 in conjunction with Article 39.1. (a) AVG requiring the DPO to act in an advisory capacity towards the data controller but not to be co-responsible for the final decision. On this basis, the Dispute Chamber confirms that the DPO will only be informed of the final risk decision. 51. The Litigation Chamber decides that, on the one hand, the defendant misinterprets the position of the Data Protection Officer, but that, on the other hand, it is plausible that, in practice, the Data Protection Officer is sufficiently involved. Therefore, no breach of Article 38.1 AVG can be established. 52. As regards the Inspectorate's finding that there is a conflict of interest under the Data Protection Officer by virtue of the fact that he is also responsible for compliance, risk management and internal audit, the defendant argues that, in the exercise of each of these functions, the person concerned does not take decisions himself, but his role is purely advisory. Moreover, the necessary measures would have been taken internally to avoid the risk of conflicts of interest. These measures were formalized in a DPO Charter which was validated by the defendant's Audit Committee on 29 July 2019. 53. During the hearing, the Chamber of Disputes examined the impact of the Data Protection Officer on decision-making under his other functions. With regard to the role of the DPO, the Chamber of Disputes raises how this is compatible with the function of conducting internal audits in which a report can identify certain elements that could lead to the dismissal of a particular employee. In this context, it is important to know whether the Data Protection Officer, who also holds the position of Head of Internal Audit, also has the right of decision in that capacity. 54. The Litigation Chamber stresses that there is a difference between merely analysing processes and assessing employee performance through internal audit, which is at odds with the role of trust that the Data Protection Officer holds within the company. The defendant argues in this respect that there is no problem of compatibility because the Data Protection Officer concerned, as head of Internal Audit, does not make individual decisions regarding employees, nor does he or she assess them. 55. The Litigation Chamber notes that in its conclusion, the defendant elaborates extensively on the independence and advisory role of each of the three departments, namely the Compliance department, Internal Audit department and Risk Management department, vis-à-vis the other departments of the company. Thus, the defendant states that the Audit, Compliance and Risk roles involve only limited risks of conflicts of interest, because they have "advisory" functions and have no decision-making power with respect to processing activities. This leads the defendant to state that the Data Protection Officer has no duties (including through his functions in each of the departments) that would allow him to make decisions about the purposes and means of any processing of personal data. 56. The Litigation Chamber is of the opinion that this does not demonstrate that the Data Protection Officer who is part of each of these departments and holds a position of responsibility in them does not perform tasks that are incompatible with his or her position as Data Protection Officer. 57. The Litigation Chamber thus notes that the independence and advisory role of the department as such cannot simply be extended to the person who simultaneously fulfils the function of data protection officer and manager of a department. 58. The Litigation Chamber should assess how and to what extent the independence of the DPO is ensured with regard to each of these three departments, in particular in a situation like the present one where the DPO is not only part of, but also assumes the role of data controller for these departments. 59. Indeed, the defendant explicitly stipulates that, in addition to the responsibilities as data protection officer, the same person is also responsible for compliance, risk management and internal audit. 6 Thus, the defendant himself or herself appoints the same physical person as responsible for each of the three departments and as data protection officer. This responsibility for each of these three departments clearly implies that that person in that capacity determines the purposes and means of the processing of personal data within these three departments and is thus responsible for the data processing processes falling under the domain of compliance, risk management and internal audit as identified in the inspection report. 60. The Working Party 29 Guidelines for Data Protection Officers7 explain that the Data Protection Officer cannot perform any function within the organisation. 6 See letter to the GBA dated 3 April 2019, quoted in the conclusion. 7 According to Article 38(6), Data Protection Officers may 'carry out other duties and tasks'. However, for this purpose, the organisation must ensure that 'these tasks or duties do not give rise to a conflict of interest'. The absence of a conflict of interest is closely linked to the requirement to act autonomously. Although DPOs may hold other functions, they can only be entrusted with other tasks and duties if they do not give rise to any conflict of interest. In particular, this means that the DPO cannot hold a position within the organisation in which he or she has to determine the purposes and means of the processing of personal data. Given the specific organisational structure of each organisation, this should be assessed on a case-by-case basis. As a rule of thumb, positions within the organization that involve a conflict of interest are considered to include senior management positions (e.g. Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, Head of Marketing, Head of Human Resources or Head of IT), as well as lower-level positions within the organizational structure when these persons are required to determine the objectives of and resources for data processing. In addition, a conflict of interest may also arise, for example, when an outside data protection officer is asked to represent the controller or processor in court in litigation over data protection issues. Depending on the activities, size and structure of the organisation, it can be good practice for processors or processors: • identify the positions that may be incompatible with the post of Data Protection Officer; • draw up internal rules for this purpose in order to avoid conflicts of interest; • include a more general explanation of conflicts of interest; • declare that their DPO does not have a conflict of interest in his function as DPO, as a way of sensitising others to this requirement; • include safeguards in the organisation's internal rules of procedure and ensure that the vacancy for the position of Data Protection Officer or service contract is sufficiently precise and detailed to avoid conflicts of interest. In this regard, we must take into account that conflicts of interest can take various forms depending on whether the DPO has been recruited internally or externally. WP243Rev01, para 3.5, underlined by Dispute Chamber. occupying a position where he or she has to determine the purposes and means of the processing of personal data. This is thus an essential conflict of interest. The role of data controller in a department is thus incompatible with the function of data protection officer, who must be able to perform his or her tasks independently. The cumulation of the function of data controller for each of the three departments concerned on the one hand, and the function of data protection officer on the other, on the basis of the same physical person, lacks any possible independent supervision by the data protection officer for each of these three departments. Moreover, the cumulation of these functions may lead to an insufficient guarantee of secrecy and confidentiality vis-à-vis staff members in accordance with Article 38.5 of the AVG. Consequently, the Disputes Chamber is of the opinion that the infringement of Article 38.6 AVG has been proven. 61. It is important that the DPO is able to carry out his tasks and duties with respect for the position conferred on him by Article 38 of the AVG, in particular that he can act without a conflict of interest. Therefore, the Litigation Chamber instructs the defendant to bring the processing in this respect in line with Article 38.6 AVG and thus ensures that these tasks or duties do not lead to a conflict of interest. 62. Taking into account the fact that the AVG has assigned a key role to the Data Protection Officer by giving him an informative and advisory role with regard to the data controller on all matters relating to the protection of personal data, including the notification of data breaches, the Litigation Chamber will also impose an administrative fine. 63. In addition to the corrective measure to bring processing in line with Article 38.6 of the AVG, the Disputes Settlement Chamber also decides to impose an administrative fine that is not intended to end a violation committed, but with a view to vigorously enforcing the rules of the AVG. As can be seen from Recital 148, the AVG requires that, in the event of serious infringements, penalties, including administrative fines, should be imposed in addition to or instead of appropriate measures. The Disputes Chamber does this in application of Article 58.2 i) AVG. The instrument of an administrative fine is therefore in no way intended to bring infringements to an end. To this end, the AVG and the WOG provide for a number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9° WOG. 64. First of all, the nature and seriousness of the infringement is taken into account by the Chamber of Disputes in order to justify the imposition of this sanction and its amount. 65. In doing so, the Litigation Chamber finds that, although there is no evidence of intentional infringement, there is serious negligence on the part of the defendant. Although the DPO is a function that the AVG made mandatory at European level for the first time, the concept of a DPO is not new and has existed for a long time in many Member States and in many organisations. 9 66. In addition, Group 29 already adopted guidelines for these officials on 13 December 2016. These guidelines were revised on 5 April 2017 following a wide-ranging public consultation. As shown below, these guidelines are clear on the extent to which the DPO can also perform other functions within the company, taking into account the organisational structure specific to each organisation and to be assessed on a case-by-case basis. 67. In short, in the opinion of the Litigation Chamber, there is no doubt that the cumulation of the function of Data Protection Officer with a function as head of a department to be supervised by the Data Protection Officer cannot be done in an independent manner. 68. An organisation such as the defendant may be expected to prepare carefully for the introduction of the AVG and already from the time the AVG enters into force in accordance with art. 99 of the AVG in May 2016. After all, the processing of personal data is a core activity of the defendant, which, moreover, has a very high level of responsibility for the processing of personal data. nature, seriousness and duration of the breach, deliberate nature of the breach, harm reduction measures, degree of responsibility, or previous relevant breaches, the manner in which the breach came to the knowledge of the supervisory authority, compliance with measures taken against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factors. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective remedy and due process. 9 See among others WP243Rev01, para 1. processing personal data on a large scale, including personal data which may have a high degree of sensitivity for data subjects, inter alia, because they allow regular and systematic monitoring. 69. The duration of the infringement is also taken into account. The Data Protection Officer has been created in the AVG applicable since 25 May 2018, so that the breach of Article 38.6 AVG has been established as of that date. In any event, the infringement continued on the date of the hearing, i.e. 14 February 2020. 70. Finally, the defendant processes personal data of millions of people. Ineffective safeguards for the protection of personal data, in particular the appointment of a data protection officer who does not meet the requirement of independence and thus cannot act free from any conflict of interest, thus have a potential impact on millions of data subjects. 71. All the elements set out above justify an effective, proportionate and dissuasive sanction, as provided for in Article 83 of the AVG, taking account of the assessment criteria laid down therein, amounting to EUR 50 000. The Chamber of Disputes points out that the other criteria set out in Article 83.2. AVG in this case are not of the nature that they result in an administrative fine other than that established by the Disputes Chamber in the context of this decision. (e) Publication of the decision 72. In view of the importance of transparency in relation to the decision-making of the Disputes Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties to be published directly for this purpose. FOR THESE REASONS, the Data Protection Authority's Litigation Chamber, after deliberation, shall decide: - pursuant to Article 100, §1, 9° WOG, order the defendant to bring the processing into conformity with Article 38.6 AVG. For this purpose, the Disputes Chamber gives the defendant a term of three months and expects the Disputes Chamber to report to it by 31 July 2020 at the latest on bringing the processing into conformity with the aforementioned provisions; - to impose an administrative fine of EUR 50,000 pursuant to Article 100, §1, 13° WOG and Article 101 WOG. This decision may be appealed against under Article 108 §1 WOG within a period of thirty days from the notification to the Market Court with the Data Protection Authority as respondent. (get.) Hielke Hijmans President of the Chamber of Disputes