The Dilemma of the Part-Time DPO – Lessons Learned From the Proximus Decision of the Belgian Data Protection Authority

May 7, 2020

On April 28, 2020, the Belgian data protection authority (the Gegevensbeschermingsautoriteit / Autorité de protection des données, the “Belgian DPA”), handed down a decision imposing a €50,000 fine on Proximus, Belgium’s largest telecommunications operator, on the ground that Proximus had failed to protect its data protection officer (“DPO”) from conflicts of interests in violation of article 38(6) of the GDPR.

In the case at hand, the Belgian DPA ruled that the conflict arose from the fact that Proximus’ DPO also fulfilled the function of director of audit, risk and compliance. The Belgian DPA discovered this when investigating the company’s organisational measures relating to the security of its data processing operations after Proximus duly self-reported a personal data breach in accordance with the GDPR. Interestingly, the breach itself did not give rise to a sanction.

Read the full post on the Cleary Cybersecurity and Privacy Watch blog here.