The European Data Protection Board (“EDPB”) has launched its 2023 coordinated enforcement action. Throughout the year, 26 Data Protection Authorities (“DPAs”) across the European Economic Area (“EEA”) including the European Data Protection Supervisor (“EDPS”) will participate in the Coordinated Enforcement Framework 2023 (“CEF”) on the designation and position of Data Protection Officers (“DPOs”).
DPOs, which are intermediaries between DPAs, individuals and the business units of an organization, have an essential role in contributing to compliance with data protection law and promoting effective protection of data subject rights.
In order to determine whether DPOs have the position in their organization required by Articles 37 – 39 General Data Protection Regulation (“GDPR”) and the resources needed to carry out their tasks, participating DPAs will implement the CEF at national level in a number of ways, including:
– DPOs will be sent questionnaires to assist in fact-finding exercises or questionnaires to identify if a formal investigation is warranted;
– Commencement of a formal investigation;
– Follow-up of ongoing formal investigations.
The results of this joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions. Furthermore, the results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up action at the European Union (“EU”) level. The outcome of this analysis upon conclusion of the actions will be published by the EDPB.
This is the second initiative under the CEF and the results of the first initiative highlighted certain key aspects on the role of DPOs, which include:
– In addition to appointing the DPO to the competent supervisory authority, one organization should notify the other supervisory authority where there are other branches of the organization, despite the consistency mechanism;
– DPOs are not allowed to engage in a role as the controller’s representative before the supervisory authority, as this could jeopardize the autonomy or independence of the DPO;
– It is not possible to hire a company as an outsourced DPO and have it also hire an external individual to perform this role;
– An organization with a data protection committee does not replace the obligation of appointing a DPO; and
– If the DPO is selected to serve a head of compliance, audit and risk management, the autonomy or independence of the role may be compromised. This should be analysed on a case-by-case basis.
Decisions by DPAs have provided valuable insights into the role and responsibilities of DPOs under the GDPR. These decisions emphasize the importance of autonomy and independence, conflict of interest management, direct access to top management and appropriate measures for external DPOs.
Does your organization require the assistance of a DPO or does you question have questions in this regard? Contact us, the Experts in Data Privacy at email@example.com, for assistance.