Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: EDPB launches second coordinated enforcement action on DPOs

The European Data Protection Board ('EDPB') announced, on 15 March 2023, the launch of its 2023 coordinated enforcement action, which will focus on the designation and position of data protection officers ('DPO'), following the first coordinated enforcement action in 2022. In particular, the EDPB explained that, in order to gauge whether DPOs have the position in their organisations required by Articles 37-39 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the resources needed to carry out their tasks, the participating European data protection authorities ('DPAs') will:

  • send questionnaires to DPOs for a fact-finding exercise or to identify if a formal investigation is warranted;
  • commence formal investigations; or
  • follow-up on ongoing formal investigations.

Moreover, the EDPB outlined that the results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions.

You can read the announcement here.

UPDATE (16 March 2023)

Bavaria: BayLDA issues statement on participation in coordinated enforcement action on DPOs

The Data Protection Authority of Bavaria for the Private Sector ('BayLDA') issued, on 15 March 2023, a statement on its participation in the coordinated enforcement action on DPOs. In particular, the president of the BayLDA, Michael Will, explained that the joint initiative forms the framework for a precise analysis of the current conditions for action in operational practice and an exchange between the DPAs on possible improvements or remedial measures.

You can read the press release, only available in German, here.

Ireland: DPC announces participation in coordinated enforcement action on DPOs

The Data Protection Commission ('DPC') announced via LinkedIn, on 15 March 2023, that it will conduct a fact-finding exercise to determine whether DPOs have the position in their organisations required under Articles 37 to 39 of the GDPR, and the resources needed to carry out their tasks. In particular, the DPC noted that the announcement followed the EDPB's launch of their coordinated enforcement action for 2023 on the same day.

You can read the LinkedIn post here.

Spain: AEPD issues statement on participation in coordinated enforcement action on DPOs

The Spanish data protection authority ('AEPD') issued, on 15 March 2023, a statement on its participation in the coordinated enforcement action on DPOs. In particular, the AEPD specified that it will analyse the practices of more than 30,000 public and private sector entities with questionnaires that include questions related to the designation, knowledge, and experience of DPOs, their tasks and resources, and their role and position in their respective organisations.

You can read the press release, only available in Spanish, here.

UPDATE (23 March 2023)

Hungary: NAIH issues statement on participation in coordinated enforcement action on DPOs

The National Authority for Data Protection and Freedom of Information ('NAIH') issued, on 20 March 2023, a statement on its participation in the coordinated enforcement action on DPOs. In particular, the NAIH highlighted that it intends to assess the situation of DPOs in the public sector, taking into account that, with the exception of courts acting in their judicial responsibilities, public authorities and other bodies performing public duties pursuant to Article 37(1)(a) of the GDPR are required to appoint a DPO. To this end, the NAIH confirmed that it will carry out the survey through a joint questionnaire compiled by supervisory authority experts, which it will ask the DPOs of several public sector data controllers to fill out by the end of March.

You can download the press release, only available in Hungarian, here.

UPDATE (29 March 2023)

EU: EDPS issues statement on participation in coordinated enforcement action on DPOs

The European Data Protection Supervisor ('EDPS') issued, on 27 March 2023, a statement on its participation to the EDPB's second coordinated enforcement action. In particular, the EDPS, Wojciech Wiewiórowski, stated that, '[t]he role of a [DPO] is crucial in ensuring that data protection law is applied within entities in the EU, and within EU institutions, bodies, offices, and agencies (EUIs). By bridging the gap between EU data protection law and its practical application, [DPOs] help to promote the effective protection of individuals' privacy and personal data. Cooperating with the EDPB aims to facilitate the consistent and coherent application of data protection law, its principles, and good practices across the EU/EEA.'

You can read the statement here.

UPDATE (18 April 2023)

Denmark: Datatilsynet launches investigation into role of DPO in municipalities 

The Danish data protection authority ('Datatilsynet') announced, on 22 March 2023, that it had launched an investigation into the role of DPOs in municipalities, as part of the EDPB's second coordinated enforcement action. In particular, the Datatilsynet stated that the purpose of the investigation is to create an overview of DPOs' work and the challenges associated with it. In this regard, the Datatilsynet specified that it had sent out a survey questionnaire to Danish municipalities, the results from which will be collected and analysed, both nationally and at EU/EEA level, and thereafter evaluated by the Datatilsynet to assess the need for, among other things, more concrete guidance efforts aimed at municipalities and their DPOs.

You can read the press release, only available in Danish, here.

UPDATE (15 May 2023)

Cyprus: Commissioner announces participation in coordinated enforcement action on DPOs

The Office of the Commissioner for Personal Data Protection announced, on 15 March 2023, that it had launched an investigation into the role of DPOs in public and private organisations. In particular, the Commissioner confirmed that it will send relevant questionnaires prepared by the EDPB to organisations, noting that the responses will be evaluated and sent to the same to decide on next steps.

You can read the press release, only available in Greek, here.

UPDATE (18 January 2024)

EU: EDPB adopts 2023 CEF report on designation and position of DPOs

The EDPB adopted, on 17 January 2024, a report on the findings of its enforcement of the Coordinated Enforcement Framework (CEF) in 2023, which focused on the designation and position of DPOs. In particular, the EDPB highlighted that 25 European data protection authorities investigated DPOs across both private and public sectors, evaluating more than 17,000 responses, to assess their role and effectiveness five years after GDPR implementation.

What were the findings and recommendations of the report?

The EDPB noted that the results of the investigation were majorly positive, however, there were some challenges faced by DPOs in the discharge of their role, and these were identified in the reports along with some listed recommendations for organizations, DPOs, and Data Protection Authorities (DPA) to strengthen DPOs’ independence and to guarantee that they have the necessary resources to carry out their tasks, including, but not limited to:

  • absence of designation of a DPO, even if mandatory: more educational and awareness initiatives on the obligation of appointing a DPO are needed by the supervisory authorities (SA) as well as enforcement actions;
  • insufficient resources allocated to the DPO: controllers and processors (CP) must ensure that DPOs have sufficient resources to exercise their functions in the organization;
  • insufficient expert knowledge and training of the DPO: SAs and EDPB need to provide further guidance and training to DPO, controllers and processors need to document their organization's knowledge and training needs, increased certification mechanisms and increased stakeholder cooperation are needed;
  • DPOs not fully or explicitly entrusted with the tasks required under the GDPR/EUDPR: SAs could incentivize CPs to maintain separation of their role and that of the DPO to perform its duties under the GDPR/EUDPR, and CPs and all stakeholders must promote the role of the DPO internally;
  • conflict of interest and lack of independence of the DPO: EDPB's Guidelines on DPOs need to be developed to further clarify the term 'conflict of interests', and SAs should take more actions in verifying that CPs have appropriate safeguards to avoid conflicts of interest in the DPOs role;
  • lack of reporting by the DPO to the organizations' highest management level: SA could encourage further guidance such as industry standards, policies, and best practices to better define the conditions, frequency, content, and effectiveness of reporting by DPOs to management; and
  • lack of further guidance from SA: further guidance is needed to empower DPOs and address the challenges identified above.

What were the national reports published?

Furthermore, the EDPB noted that the report is accompanied by the national reports of each participating DPA containing detailed information regarding the problems they identified with compliance with the provisions relating to the DPOs, among others.

Poland: UODO publishes national report on EDPB's CEF research on the role of DPOs

The Polish Data Protection Authority (UODO) highlighted, in their report, identified problems in the field of practices that may result in violation of the provisions of the GDPR, including:

  • burdening the DPO with the administrator's duties, e.g., keeping a register of processing activities;
  • concluding an agreement for entrusting the processing of personal data between the administrator and the DPO;
  • granting the DPO a power of attorney to represent the administrator in matters related to personal data protection; and
  • outsourcing to companies that provide the services of the DPO function.

Czechia: ÚOOÚ responds to EDPB's investigation on the position of DPOs  

The Office for Personal Data Protection (ÚOOÚ) emphasized that in its investigations of all 14 ministries consulted, it identified suspected violations of the GDPR, finding that:

  • DPOs are not properly and timely involved in all matters related to personal data protection;
  • DPOs often do not have access to information related to the processing of personal data; and
  • that ministries provide instructions to DPOs that relate to the performance of their tasks, which is expressly prohibited by the GDPR.

You can read the EDPB's press release here, the adopted report here, the UODO's press release here, and the national report here, both only available in Polish, and the Czechia press release, only available in Czech, here.