Tough trading conditions mean more and more businesses are having to make a call on how to allocate their hard-earned income.  In this context, being aware of the need to adequately resource your Data Protection Officer (DPO) to meet regulatory requirements becomes paramount to minimising the risk of fines. Recently, the administrative court of Luxembourg (in May) and the Contentious Chamber of the Belgian Data Protection Authority (in June), issued fines against controllers for not sufficiently involving their DPOs and not providing enough support and resources for data protection programmes.  

The case in Luxembourg arose after the local supervisory authority had launched an investigation into a group of companies with a subsidiary in Luxembourg. A single data protection officer had been appointed for the group under Article 37(2) GDPR. The DPO was not a member of the board, not located in Luxembourg, and involved only indirectly in data protection matters through a local point of contact. In the appeal against the DPAs decision, the administrative court held that for the DPO to fulfill the obligation arising from Article 39(1) GDPR (obligation to inform and advise the controller), he or she must be involved in all questions and projects involving data protection at the earliest possible stage. The court upheld the fine of € 18.000 and the DPA’s decision that the controller had violated Article 38(1) GDPR and Article 39 GDPR.  

In the more recent case before the Contentious Chamber of the Belgian supervisory authority the DPO had been appointed only on a part-time (3-days a week) position. The DPO was overworked which prevented him from efficiently responding to requests, such as a data subject rights request to delete personal data which led to the case before the Contentious Chamber. The controller was found to be non-compliant with Articles 5(2) and 24 GDPR. The € 245.000 fine was originally imposed on the data controller. This was later reduced to €172,431 due to the controller’s difficult financial situation.  

Both regulatory enforcement cases serve as a reminder of the importance of actively and sufficiently involving your DPO in all data protection matters and providing them with enough support and resources in order to fully comply with the GDPR.   

External DPOs can offer cost savings to already stretched compliance budgets but recent case law shows that the regulators will not hesitate to enforce the “adequately resourced” part of the GDPR guidelines. As a global Data Protection Officer services provider, HewardMills offers its clients regular reviews of their data protection practices to ensure full compliance with the GDPR.   

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.