22/07/20

Data Protection Summer Dive - Designation and tasks of your Data Protection Officer

Each week in July and August, our focus will be on a different topic that has been scrutinized by the Belgian Data Protection Authority. With a few simple tips, your summer cocktail of data protection news will be complete.

This week’s topic: Designation and tasks of your Data Protection Officer

The entering into force of the GDPR on 25 May 2018 may have resulted in an obligation for your company to appoint a data protection officer (“DPO”). Through several decisions, the Belgian Data Protection Authority (“DPA”) has in the meanwhile issued guidance on the designation of a DPO, and on the position/function of a DPO within your company.

1. Designation of a DPO

The DPO must above all have excellent knowledge of data protection legislation.

Extensive knowledge of internal IT systems and of business processes is of course valuable. Knowledge of data protection legislation is, however, a requirement for exercising this function and not a mere “plus”.

It is crucial to verify whether the DPO you have appointed or want to appoint fulfils such quality requirements, also if it is an external DPO - Request evidence of the fulfilment of quality requirements and document this evidence (e.g. successful completion of a “certified DPO” training, ISO certification, prior experience, IAPP CIPP/E of CIPM certificate).

2. Position and tasks of the DPO

  • The DPO must be able to independently exercise his/her function within the company and conflicts of interests must be avoided.

According to the DPA, there is a conflict of interest if the DPO is also head of compliance, risk management and internal audit (no independent supervision possible - as head of these departments, the DPO determines the purposes and means of the personal data processing of these departments).

  • The DPO must be informed and, most importantly, consulted in advance on all matters relating to data protection. Merely informing the DPO of a decision after the decision has been taken renders his/her function ineffective.
     
  • Reporting to the top management body cannot be limited to an annual report.
     
  • It is not up to the DPO to actually decide on requests made by data subjects. Such decisions should be taken by the data controller.

As the DPA recently imposed several fines for not respecting the legal obligations regarding the designation and position/function of a DPO, it is highly recommended to verify whether your DPO fulfils the basic requirements set out above. We are of course happy to assist if you have doubts in this respect.

dotted_texture