GDPR: fines issued across Europe for failing to appoint an independent Data Protection Officer

Data supervision authorities in Spain and Belgium have recently issued substantial fines to companies for failing to appoint an independent Data Protection Officer (DPO).   

Glovo App fined €25,000 for failing to appoint DPO

In June 2020, Glovo App was fined €25,000 by the AEPD, the Spanish data supervision authority, for failing to appoint a DPO. Glovo, the on-demand courier service, argued it was exempt from the requirement to appoint a DPO. The AEPD disagreed. It found because Glovo routinely processes thousands of customers’ data daily, it conducts “large scale” processing as a “core activity” and therefore was not exempt from this requirement.

When is a DPO needed?

Organisations must appoint a DPO where its “core activities” include processing which requires regular and systematic monitoring of data subjects on a “large scale”. The Article 29 Working Party (now the European Data Protection Board) produced guidance on these terms. In particular:

• “Core activities” are those operations which are necessary to achieve the organisation’s goals (for example, a hospital needs to process patient data in order to deliver healthcare services effectively)
• To decide if processing is “large scale,” relevant factors include:
  • The number of data subjects concerned
  • The volume and range of data processed
  • The duration and/or permanence of the processing activity
  • The geographical extent of the processing activity

“Data Protection Committee” not a valid substitution for a DPO

The DPO is responsible for ensuring that an organisation complies with data protection laws and cooperates with the relevant supervisory authority. They should have a level of experience and knowledge of data protection laws and practices that is appropriate for the sensitivity, complexity and amount of data being processed.  

Glovo had not appointed a DPO but set up a “data protection committee” which, it said, fulfilled much of the same functions as a DPO would. It argued that the committee enabled it to guarantee the protection of its customers’ data rights and comply with data protection rules. It also planned to appoint a DPO once it determined that its customer base had grown to such a level that it needed one.  

According to the AEPD, Glovo’s approach was insufficient. It already routinely processes thousands of customers’ personal data daily, and so it was deemed to perform large scale processing as one of its core activities. It was fined €25,000. The fact that Glovo appointed a DPO on the day before the AEPD proceedings began did not enable it to escape liability for its failure to comply up to that point in time.

Belgian company fined €50,000 for appointing head of compliance, audit and risk as DPO

In April 2020, the BDPA, the Belgian Data supervision authority, fined a company €50,000 for non-compliance with conflict of interest rules under GDPR. The unnamed organisation was found to have appointed its head of compliance, audit and risk as its DPO. After an investigation, the BDPA found that this combination created a conflict interest which infringed GDPR requirements regarding conflicts of interest.

DPO required to be free from conflicts of interest

Organisations are permitted to appoint a DPO that also “fulfils other tasks and duties”, but they must ensure that those tasks and duties do not result in a conflict of interest. Article 29 Working Party (as then was) issued guidance which advised that certain executive and senior management positions tend to conflict with the DPO’s role because they may require the DPO to determine the purposes and means of processing personal data.

Executive responsibilities conflicted with role as DPO

The BDPA found that by appointing a DPO who was already the director of compliance, audit and risk departments, the organisation failed to ensure that its DPO was sufficiently free from conflicts of interest.

The organisation argued there was no conflict because its DPO was not involved in any decision-making regarding the purpose or means of processing personal data. However, the BDPA disagreed and found that as head of compliance, risk and audit, they were ultimately responsible for data processing issues in those departments. This responsibility meant that they were not in a position to independently supervise those departments in their other role as DPO.

The BDPA fined the organisation €50,000 – the BDPA’s highest administrative fine to date. In reaching the outcome, the BDPA noted that the DPO is not a new concept and has existed throughout Europe for many years. It also considered the fact that data processing was one of the organisation’s core activities and that it had been in breach of its obligations since GDPR officially came into force in May 2018.

Implications

The rulings come as a fresh warning to comply with the Article 37 and 38 requirements to appoint a DPO and ensure the DPO is sufficiently independent so that it can supervise effectively. The German data supervisory authority took a similar approach, where Facebook was recently fined €50,000 for similar reasons.

It has been over two years since GDPR came into force and it seems the regulatory grace period that organisations have enjoyed is abruptly coming to a close. When giving its ruling, the BDPA noted specifically that organisations have now had enough time to ensure compliance with their GDPR obligations.

Lockdown has significantly increased organisations’ online activity and data processing has sharply risen as a result. The Information Commissioner’s Office has taken a pragmatic approach to enforcement during the Covid-19 pandemic. However, as we move towards the ‘new normal’ of remote working on a more permanent basis, it seems this increased processing activity will be a long-term feature of the post-lockdown environment.

It’s not yet clear whether the BDPA’s ruling will trigger a major shift away from dually appointed DPOs and heads of compliance/legal functions, as is common in many organisations. At the very least, it should come as a warning to organisations whose DPO fills a number of roles about the potential for a similar conflict. This may be particularly challenging for smaller companies who may now feel that the only option to meet their obligations is to outsource their DPO responsibilities.

Organisations should bear in mind that GDPR enforcement measures for administrative failures, such as not appointing a DPO, include fines of up to the higher of €10m or 2% of annual global turnover. If your organisation does decide not to appoint a DPO, then make sure it is a conscious and well-reasoned decision which has been fully documented and signed off by a senior member of staff.