In March 2023, the EDPB announced a second coordinated enforcement action focused on the role of Data Protection Officers (DPOs). This article delves into the this recent announcement by discussing the intended role of the DPO, the expected questions included in the action. The article will also elaborate on the approaches of different Supervisory Authorities across the European Economic Area (EEA).
In October 2020 the European Data Protection Board (EDPB) issued a document on the Coordinated Enforcement Framework (CEF). The CEF indicated the EDPB’s plan to launch coordinated action annually on key data protection issues to ensure uniform compliance of GDPR across the European Economic Area (EEA). Thus the CEF may also be seen as a rulebook dictating the structure of the annually recurring actions on a pre-decided topic. The actions can range from anything between a joint awareness raising and information gathering exercise to enforcement sweeps or joint investigations. The goal of the CEF is to encourage effective cooperation amongst the Supervisory Authorities (SAs) (Article 61(1) GDPR) and ensure consistent application and enforcement of the GDPR (Article 51(1)(g) GDPR). In February 2022, the EDPB subsequently launched its first coordinated enforcement action on the use of cloud services by public sector organisations across the EEA, and the same resulted in a report.
Role of a DPO:
The European Data Protection Supervisor (EDPS) stated that the role of a DPO is fundamental in bridging the gap between data protection law and its practical implementation. Additionally, the role of the DPO, as an expert in the field, helps the organisation in promoting and protecting the fundamental rights and freedoms (including the privacy) of a data subject.
DPOs are often also known as the intermediaries between the SAs and the organisation. They are responsible for communicating with the SAs and ensuring cooperation in case of an investigation. DPOs also often assist in conducting risk assessments, data protection impact assessments and maintaining other accountability documentation within an organisation. They also assist in implementing a data protection by design and default approach. However, most importantly, a DPO must be independent and report to the highest management level and can thus provide a different perspective to projects. While the above are certain key responsibilities of a DPO a detailed list can be found in Article 37 to Article 39 of the GDPR.
Therefore the EDPB decided to carry out a coordinated action on the role of the DPOs as they play an intricate role in the compliance of an organisation’s GDPR obligations. The DPOs are also the torch bearers of the data protection by design and default approach and thus it is essential that all public organisations have appointed a DPO.
What to expect:
Organisations may receive a communication from their SAs seeking information to identify whether an inquiry into the role of the DPO is warranted. The communication may take shape as a questionnaire and may seek information regarding:
- the tasks carried out by the DPO in the organisation,
- details about the DPOs independence,
- frequency of queries,
- interactions with board members of the organisation, and
- the particular experience that the DPO brings to the organisation.
Lastly, the results from various questionnaires will be considered firstly at a member state level by the SA itself and then will be sent onwards to the EDPB for a wider analysis applicable across the EEA. The EDPB will also publish its findings in the form of a report for the coordinated action. Based on the aggregated data, the SA and EDPB may decide to issue further guidance on the role of the DPO.
Approach of various SAs across the EEA
The EDPB announcement did not specify whether the focus will be on public or private organisations, however information from some SAs’ statements on the action provide some information on which organisations are in scope. Specifically, both the Spanish SA, and the Bavarian SA have indicated that they would include all DPOs registered with them regardless of the sector (i.e. public or private). The Spanish SA has however further mentioned that it will focus on organisations involved in activities relating to education, health, energy, telecommunications and banking. In addition, CNIL, the French SA has mentioned its intention to participate and contribute towards the coordinated action, but has not specified its focus. In Ireland, the DPC is yet to release an official statement on the number of organisations or the sector of organisations participating in this activity.
The EDPS has also announced its intention to implement the coordinated action on European Institutions. The EDPS stated that the DPO’s independence from the management teams would be the focus area. Therefore we recommend that European Institutions appoint a DPO and comply with Section 6 titled “Data Protection Officer” of the EUDPR.
What to do?
While the GDPR does not impose a mandatory obligation to appoint a DPO, organisations (both public and private sectors) are recommended to ensure the following:
- the position of the DPO is detached from CEOs, corporate level management, IT managers, HR officers, and even compliance officers or legal advisors thus ensuring DPO tasks are carried out independently and will not result in a conflicts of interest.
- the DPO possesses sufficient experience and understanding of data protection and privacy law in EU and around the world coupled with knowledge about how data is practically processed.
- the appointed DPO is kept up-to-date regarding the developments in data protection laws through necessary training and access to legal literature.
It is also essential to note that Article 83 of the GDPR does not distinguish between public or private sector organisations and failure to appoint a DPO may result in fines up to EUR 10,000,000, or up to 2% of the total worldwide annual turnover of the preceding financial year.
Trilateral’s Data protection and Cyber-risk team have data protection specialists with extensive expertise and experience in providing DPO and DPO assist services catering to both public and private sector organisations. We can also support you if you have been contacted by your national Supervisory Authority in respect of this action. Please feel free to contact us, as we would be more than happy to help.