News

In 2020, the Belgian Data Protection Authority imposed an administrative fine of €50,000 on a Belgian telecommunications company.

🔍 Case Details

The company’s Data Protection Officer (DPO) was not sufficiently involved in handling personal data breaches as they held additional roles within the organization, including Head of Compliance and Audit.

Violation of Article 38-6 of the GDPR

The GDPR states that:
A Data Protection Officer may perform other tasks and duties, provided they do not result in a conflict of interest.

It is not permissible for a DPO to combine their role with another function that involves determining the purposes and means of personal data processing. The DPO must remain independent and cannot overlap with the role of the data controller.

📌 Consequences

• Administrative Fine: €50,000
• Reputational Damage: The incident highlighted governance flaws, potentially harming the organization’s public image.