In a decision of December 16, 2021, the Belgian Data Protection Authority (DPA) imposed a EUR 75,000 administrative fine on a bank located in Belgium for failure to comply with the requirement in Article 38.6 of the General Data Protection Regulation (GDPR) that the tasks and duties of the Data Protection Officer (DPO) must not result in a conflict of interest.
In addition to being the bank’s DPO, the individual in question was also leading the bank’s Operational Risk Management department, the Information Risk Management department, as well as the bank’s Special Investigation Unit.
The DPA didn’t agree with Bank’s opinion that there is no conflict of interest as all those roles are second line of defense and no decisions on data processing activities are made by the individual. The head of the departments of the second-line services is responsible for determining the purposes and means of the processing activities in the context of its own second-line services. This is also reflected in the bank’s record of processing activities, which lists a substantial number of categories of personal data that are processed by the three departments.
DPA imposes an administrative fine of EUR 75.000, as a sign of “vigorous enforcement” of the GDPR.