The European Data Protection Board ('EDPB') announced, on 15 March 2023, the launch of its 2023 coordinated enforcement action, which will focus on the designation and position of data protection officers ('DPO'), following the first coordinated enforcement action in 2022. In particular, the EDPB explained that, in order to gauge whether DPOs have the position in their organisations required by Articles 37-39 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the resources needed to carry out their tasks, the participating European data protection authorities ('DPAs') will:

• send questionnaires to DPOs for a fact-finding exercise or to identify if a formal investigation is warranted;
• commence formal investigations; or
• follow-up on ongoing formal investigations.

Moreover, the EDPB outlined that the results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions.

You can read the announcement here.

UPDATE (16 March 2023)

Bavaria: BayLDA issues statement on participation in coordinated enforcement action on DPOs

The Data Protection Authority of Bavaria for the Private Sector ('BayLDA') issued, on 15 March 2023, a statement on its participation in the coordinated enforcement action on DPOs. In particular, the president of the BayLDA, Michael Will, explained that the joint initiative forms the framework for a precise analysis of the current conditions for action in operational practice and an exchange between the DPAs on possible improvements or remedial measures.

You can read the press release, only available in German, here.

Ireland: DPC announces participation in coordinated enforcement action on DPOs

The Data Protection Commission ('DPC') announced via LinkedIn, on 15 March 2023, that it will conduct a fact-finding exercise to determine whether DPOs have the position in their organisations required under Articles 37 to 39 of the GDPR, and the resources needed to carry out their tasks. In particular, the DPC noted that the announcement followed the EDPB's launch of their coordinated enforcement action for 2023 on the same day.

You can read the LinkedIn post here.

Spain: AEPD issues statement on participation in coordinated enforcement action on DPOs

The Spanish data protection authority ('AEPD') issued, on 15 March 2023, a statement on its participation in the coordinated enforcement action on DPOs. In particular, the AEPD specified that it will analyse the practices of more than 30,000 public and private sector entities with questionnaires that include questions related to the designation, knowledge, and experience of DPOs, their tasks and resources, and their role and position in their respective organisations.

You can read the press release, only available in Spanish, here.

UPDATE (23 March 2023)

Hungary: NAIH issues statement on participation in coordinated enforcement action on DPOs

The National Authority for Data Protection and Freedom of Information ('NAIH') issued, on 20 March 2023, a statement on its participation in the coordinated enforcement action on DPOs. In particular, the NAIH highlighted that it intends to assess the situation of DPOs in the public sector, taking into account that, with the exception of courts acting in their judicial responsibilities, public authorities and other bodies performing public duties pursuant to Article 37(1)(a) of the GDPR are required to appoint a DPO. To this end, the NAIH confirmed that it will carry out the survey through a joint questionnaire compiled by supervisory authority experts, which it will ask the DPOs of several public sector data controllers to fill out by the end of March.

You can download the press release, only available in Hungarian, here.

UPDATE (29 March 2023)

EU: EDPS issues statement on participation in coordinated enforcement action on DPOs

The European Data Protection Supervisor ('EDPS') issued, on 27 March 2023, a statement on its participation to the EDPB's second coordinated enforcement action. In particular, the EDPS, Wojciech Wiewiórowski, stated that, '[t]he role of a [DPO] is crucial in ensuring that data protection law is applied within entities in the EU, and within EU institutions, bodies, offices, and agencies (EUIs). By bridging the gap between EU data protection law and its practical application, [DPOs] help to promote the effective protection of individuals' privacy and personal data. Cooperating with the EDPB aims to facilitate the consistent and coherent application of data protection law, its principles, and good practices across the EU/EEA.'

You can read the statement here.

UPDATE (18 April 2023)

Denmark: Datatilsynet launches investigation into role of DPO in municipalities 

The Danish data protection authority ('Datatilsynet') announced, on 22 March 2023, that it had launched an investigation into the role of DPOs in municipalities, as part of the EDPB's second coordinated enforcement action. In particular, the Datatilsynet stated that the purpose of the investigation is to create an overview of DPOs' work and the challenges associated with it. In this regard, the Datatilsynet specified that it had sent out a survey questionnaire to Danish municipalities, the results from which will be collected and analysed, both nationally and at EU/EEA level, and thereafter evaluated by the Datatilsynet to assess the need for, among other things, more concrete guidance efforts aimed at municipalities and their DPOs.

You can read the press release, only available in Danish, here.

UPDATE (15 May 2023)

Cyprus: Commissioner announces participation in coordinated enforcement action on DPOs

The Office of the Commissioner for Personal Data Protection announced, on 15 March 2023, that it had launched an investigation into the role of DPOs in public and private organisations. In particular, the Commissioner confirmed that it will send relevant questionnaires prepared by the EDPB to organisations, noting that the responses will be evaluated and sent to the same to decide on next steps.

You can read the press release, only available in Greek, here.