In this article we will analyse the figure of the DPO in the EU (European Union).
Javier Sempere Samaniego, Data Protection Officer of the Spanish General Council of the Judicial Power, has prepared for the Spanish Professional Privacy Association (APEP) an informative note about the sanctioning resolutions adopted by the supervisory authorities that affect the DPO in the EU system.
The purpose of this publication has been to communicate to APEP’s members the resolutions that affect the status of data protection officers (DPO).
Examples of these resolutions are the following:
In this article we will discuss...
Luxembourg Data Protection Authority
In 2018, the Luxembourg National Data Protection Commission carried out an inspection plan to 25 responsible, in order to check if they complied with the requirements related to Data Protection Officers.
A. 18,700€ fine to a company for non-compliance with GDPR requirements about the Data Protection Officer
The CNPDL imposed a fine of €18,700 on a company for committing four infringements related to such requirements, as well as issuing an order against the same company, to comply with the GDPR within four months.
The infringements committed are as follows:
- The Responsible for the processing did not publish its Data Protection Officer contact details, in breach of Article 37.7 of the GDPR.
- The Responsible for did not ensure that the DPO was involved in a timely and adequate manner in all matters related to the protection of personal data, in breach of Article 38.1 GDPR.
- The Responsible did not ensure that the DPO fulfilled its mission with a sufficient degree of autonomy, in violation of Article 38.3 GDPR.
- The Responsible did not ensure that the DPO could properly monitor the compliance of data processing practices with the GDPR, thus breaching Article 39.1.b) GDPR.
B. Company breaches its obligation to communicate the DPO’s contact details
The Luxembourg National Data Protection Commission warned a company after discovering that it had breached its obligation to disclose the DPO’s contact details.
It was under Article 37.7 GDPR and its obligation to ensure that its DPO had no conflict of interest under Article 38.6 GDPR.
These violations committed by the company were resolved, so they did not have to pay an administrative fine.
C. A company was fined €18,000 for failing to provide its DPO with the necessary resources and organizational framework to perform his duties properly.
The company had a privacy office at its central office, while the Luxembourg affiliate had only one data protection lawyer.
In addition, a group of companies designated a single group DPO to manage the data protection aspects of both the central company and the Luxembourg affiliate.
The National Commission considered that there was a lack of direct involvement of the group DPO at the central headquarters, which would result in a risk that the DPO would not be properly involved at the operational level in Luxembourg, thus infringing Article 38.1 GDPR.
A violation of Article 38.2 GDPR was also found, as the DPO was not provided with the necessary resources to be able to carry out his tasks and access personal data, as well as processing operations.
A lack of direct feedback of information from the DPO to the data controller of the Luxembourg subsidiary was also found to be in breach of Article 39.1.a) GDPR.
Belgium Data Protection Authority
A.The Belgium Data Protection Authority fined a bank €75,000, after determining that there was a conflict of interest in the person who performed the functions of the DPO.
This individual was also the head of three departments with decision-making powers over the processing of personal data.
In its defense, the Bank determined that the DPO did not have power of decision to determine the purposes and means of the processing of personal data in his functions performed at the Bank.
However, it only had advisory and supervisory functions.
In view of this, the Belgium Data Protection Authority determined that the role of the DPO was not purely advisory and supervisory, but could also determine the means and purposes of the processing of personal data.
Additionally, the Bank’s Register of Processing Activities listed a substantial amount of categories of personal data that these departments process.
For all these reasons, the Belgian Data Protection Authority determined the existence of a conflict of interest, implying a violation of Article 38 GDPR.
B. Company sentenced to a fine of €18,000 for violation of several articles of the GDPR, in relation to non-compliance involving the DPO.
Firstly, violation of Article 38.1 RGPD. The DPO didn’t have been sufficiently involved in all matters relating to the Data Protection Law. It was considered that the external DPO could not voluntarily intervene unless requested to do so by the Responsible for the processing.
Secondly, violation of Article 37.7 GDPR, as it was considered that the DPO’s contact details were not easy to locate on the Responsible’s website. This details were only accessible in English, but not in any of the official languages of the Responsible.
In the third place, violation of Article 39.1.b) GDPR, as the Responsible for, had failed at the time of implementing the necessary control procedures that would have allowed the external DPO to correctly control the compliance of the data processing practices of the data controller with the GDPR.
Finally, violation of Article 38.2 GDPR, as the Responsible for having failed to assign the necessary resources to the external DPO to enable him to perform his duties.
Greece’s Data Protection Authority about the DPO in the EU
The Greek Data Protection Authority fined the Ministry of Tourism €75,000 for the following reasons:
- Lack of designation of a DPO.
- Lack of reporting a data breach that allowed citizens who entered their credentials on a government platform to see other people’s personal data (names, surnames, VAT number…).
The Ministry of Tourism was responsible for the processing on the platform. It was also responsible, according to the GDPR, for the data breach and lack of a DPO.
For its part, Greek Data Protection Authority considered the existence of a breach of the fundamental requirements to take appropriate organizational and technical measures for the security of the processing, pursuant to Article 32 GDPR, closely linked to Article 34 GDPR.
The controller did not take into account the risks to the rights and freedoms of natural persons in determining the security measures.
Finally, the Greek Data Protection Authority found a violation of the following articles by the Ministry of Tourism:
- Article 33 RGPD, by failing to inform of the above-mentioned data breach.
- Article 37.1 GDPR, by failing to designate a Responsible for data protection at the time of the breach.
Data Protection Authority in Slovenia
The Slovenian Data Protection Authority pronounced on the impossibility for the director or manager of a company (CEO) to be the DPO.
In addition to this, said Authority indicates that the DPO shall not perform tasks that determine the purposes or means of the processing of personal data.
More specifically, all those situations incompatible with the DPO shall be indicated, including:
- Senior management positions ( CEO, Operations Director, Financial Director, Marketing Director, Human Resources Director…).
- Other subordinate roles in the organization, as long as these positions or roles lead to the determination of the ends and means of the processing.
The Spanish Data Protection Authority about the DPO in the EU
The Spanish Data Protection Agency has issued series of resolutions on cases in which a Data Protection Officer was not appointed.
Such appointment is mandatory, according to article 37.1 RGPD and 37.4 RGPD, in relation to article 34 of the LOPDGDD.
These resolutions affect both the private and public sector.
Several City Councils violated Article 37.1 RGPD, on the Designation of the Data Protection Officer. No DPO was designated at the head office of the AEPD, and there was no notification of its designation.
The GDPR informs that the Responsible for and those in charge of processing must designate a DPO in the cases that the GDPR establishes.
This should also be done in those cases in which the legislation of the Member States considers it mandatory.
Public administrations act as data controllers of personal data and, sometimes, as data processors.
For this reason, they are responsible, following the principle of proactive responsibility, for complying with the obligations set out in the GDPR. It includes appointing a Data Protection Officer and notifying the AEPD.
Subsequently, all European Union Member States must comply with the provisions of the General Data Protection Regulation regarding the figure of the DPO in the EU.
In this way, they will grant the DPO in the EU the necessary competences and mechanisms so that it can correctly process personal data in accordance with the GDPR.
From Auratech we are at your disposal.