European Data Protection Board’s (EDPB) Coordinated Enforcement Action: Role and Responsibilities of Data Protection Officers (DPOs)

Reading Time: 4 minutes

Authors:  

Deeya Barik | Associate Data Protection Advisor

Date: 21 February 2024

On 16th January 2024, the EDPB released a report based on the second coordinated enforcement action (CEF 2023), focusing on the designation and position of DPOs. This report follows a coordinated enforcement action involving 25 European Economic Area (EEA) supervisory authorities (SAs) under the EDPB’s CEF. This article delves into the recent report discussing the challenges faced by DPOs and organisations that have designated a DPO, and how these may impact compliance with data protection laws.  

Background  

This initiative was set up under the EDPB’s Coordination Enforcement Framework (CEF), created in 2020 with a view to streamlining enforcement and cooperation among supervisory authorities. The aim of the CEF is to facilitate yearlong coordinated actions and investigations on a pre-agreed subject. The only prior investigation related to the Use of Cloud Services by Public Bodies and was carried out in 2021. 

With this second CEF action the EDPB wanted to: 

  • obtain insights regarding the position and work of DPOs in practice to guide enforcement actions of SAs; 
  • raise awareness of the requirements applicable to DPOs within organisations (in particular within the highest management level of organisations); 
  • ensure that DPOs fulfil the key role assigned to them by data protection law to facilitate compliance and promote the role of the DPO; and 
  • evaluate DPOs’ and organisations’ needs for further guidance and other forms of support.       

Challenges faced by the DPOs 

The Report lists seven obstacles currently faced by DPOs, along with a series of recommendations and points of attention to further strengthen their role. 

1. Absence of designated DPO, even where appointment is mandatory; 

Article 37(1) of the GDPR sets the circumstances in which DPO appointment is mandatory. The EDPB Report noted that some organisations had not appointed a DPO when required to. Thus, with that in observation, the Report recommended more initiatives by SAs to raise awareness of the mandatory requirements. 

2. Insufficient resources allocated to the DPO;

With respect to controllers, the Report recommends that they carefully verify resources available to their DPO, including time and capacity. Controllers should take the resourcing of their DPO seriously and document the assessment carried out to confirm that the DPO has sufficient resources. 

3. Insufficient expert knowledge and training of the DPO;

Article 37(5) of the GDPR mandates DPOs to have ‘expert knowledge’. However, the report indicated that majority of the DPOs received 24 hours of training a year, with 4% receiving no training. The Report notes that DPOs should receive training from the relevant SAs or the EDPB, for example introducing additional certification mechanisms (Luxembourg SA).

Additionally, the Report notes that controllers should ensure they are documenting the knowledge and training needs and progress to support compliance with Article 24 (technical and organisational measures) and Article 5(2) (accountability) of the GDPR.

4. DPOs not being fully entrusted with the tasks required under the GDPR;

Article 38(1) requires a DPO to be involved “properly and in a timely manner in all issues which relate to the protection of personal data”. A DPO cannot do their job if they are not consulted. Stakeholders should promote and actively review the role of the DPO within the organisation. An annual report of DPO’s activities was suggested.

5. Conflict of interests and lack of independence of the DPO;

DPOs may hold positions (e.g., in management) which could conflict with their duties as DPO, including when externally appointed. The Report recommends that the EDPB’s Guidelines on DPOs are developed further, particularly taking account of the new roles that many DPOs may take on in relation to new EU digital legislation.

6. Lack of reporting by the DPO to the organisation’s highest management level

Article 38(3) requires DPOs to report to the organisation’s highest management level. The Report suggests having further guidance through Supervisory Authority/EDPB best practice recommendations or template reports.  

7. A requirement of further guidance from SAs

Further guidance by SAs and the development of the current EDPB Guidelines on DPOs would be beneficial to assist DPOs in carrying out tasks more efficiently. Given the fast pace of developments in the EU digital legislative sphere, the role of DPOs is evolving. New regimes including the Digital Services Act, Data Act, AI Act and the Digital Markets Act have designated key roles of DPOs. The Report sheds light on useful narratives regarding the importance of the role of the DPO. 

Country wise Efforts  

Many SAs refer to DPO Guidance on their respective websites, while some publish general FAQ sections.  

Ireland SA: IE SA has published guidance on appropriate qualifications for a DPO, on who needs a DPO, on how to notify the IE SA of a DPO and an FAQ document on the DPO registration process. 

France SA: has a comprehensive reference guide for DPO-related questions.  

Poland SA: provided guidelines on the designation and status of the DPO (including detailed guidance on the possibility of combining the functions of DPOs with various other positions). The SA highlighted the tasks of DPOs (in particular what tasks are assigned to the DPO and which tasks the controller is required to carry out).  

Netherlands SA: published a position paper on the designation, tasks and/or role of the DPO, which is available on the SA’s website.   

Croatian SA: published a short brochure about the role and tasks of DPOs.

 

The release of the EDPB CEF Report is timely and much needed. Through this report, EDPB concludes that organisations will need to consider how DPOs are tasked, utilised, and supported.  Furthermore, also to ensure that the DPO roles avoid issues such as conflicts of interests or insufficient resources at the disposal of the DPOs. 

Trilateral’s Data protection and Cyber-risk team have data protection specialists with extensive expertise and experience in providing DPO and DPO Assist services catering to both public and private sector organisations. We have assisted all our clients around the clock when it comes to robust DPO compliance. Please feel free to contact us, as we would be more than happy to help. 

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career