A recent decision issued by the Belgian Data Protection Authority has some ramifications for registered social landlords (RSLs) who appoint a member of staff as their Data Protection Officer (DPO).
The General Data Protection Regulation (GDPR) recently celebrated its second birthday. Many RSLs appointed a DPO when preparing for the GDPR on the basis that they process special category personal data on a large scale as part of their core activities. From November 2019, RSLs were designated as Scottish public authorities for freedom of information purposes, providing an additional reason to appoint a DPO.
Depending on their requirements, some RSLs have appointed an existing member of staff as their DPO, while others have either recruited for a dedicated position or outsourced this to an external provider.
DPOs and the Belgian Data Protection Authority (DPA)
The DPA, the Belgian equivalent of the UK Information Commissioner’s Office (ICO), investigated Proximus SA, a large telecommunications company in Belgium, for a self-notified GDPR breach involving sending e-mails to incorrect recipients. As part of this, the DPA reviewed the company’s GDPR compliance practices, including its DPO appointment.
The DPA issued a €50,000 fine against the company because it had appointed its Head of Compliance, Risk Management and Audit as its DPO. In the DPA’s view, this did not comply with the GDPR and the Head was prohibited from carrying out the DPO role for the following reasons:
The Head had operational responsibility for the data processing activities of their department, for example, regarding internal investigations and audits. Despite having a “DPO Charter” in place, which set out how conflicts of interest were to be resolved, the DPA decided that this responsibility resulted in a lack of independent DPO oversight and verification of such activities. This was important because the GDPR states the DPO may fulfil other tasks and duties within an organisation, but those other tasks and duties must not result in a conflict of interest.
The DPA believed the level of fine was appropriate due to the company’s “serious negligence” and it wanted to “vigorously enforce the rules of the GDPR” through “an effective, proportionate and dissuasive sanction”. The DPA noted the company should have been better prepared in its DPO appointment considering its data processing activities, which (like RSLs) involved the processing of special category personal data on a large scale.
What the decision means for RSLs
Although the DPA’s decision is not directly applicable in the UK, this does not mean the ICO will necessarily adopt a different approach. The GDPR is identical across the EU and incorporates a consistency mechanism whereby the EU data protection regulators must ensure the consistent application of the GDPR in certain matters. Given similar circumstances, the ICO may follow the lead of the DPA.
The DPO should not be an individual who holds decision-making power when it comes to determining the “what, how and why” of personal data processing either across the RSL as a whole or within a specific department. Indeed, the European Data Protection Board (EDPB), consisting of all EU data protection regulators, has highlighted that the Chief Executive and Heads of Operations, Finance, Human Resources and / or IT are likely precluded from fulfilling the DPO role due to lack of independence and potential conflicts of interest.
Other members of staff, who do not necessarily head a department, but have a degree of decision-making power over the “what, how and why” of personal data processing may also be similarly excluded. This could include the work of Welfare Rights Advisers, who typically reside under the RSL Housing Services function, but whose role is generally independent when it comes to the processing of personal data because of the nature of their work.
The DPA’s decision broadens the EDPB’s approach to possibly include the head of any department on the premise that their role will inevitably involve some decision-making when it comes to processing personal data within their functional area. This could automatically exclude the Heads of Corporate Services, Housing, Legal, Compliance and Maintenance from being appointed as DPO.
The role may successfully be performed by staff more junior and who do not fall within these categories,