The European Data Protection Board has released a report based on its second coordinated enforcement action, focusing on the designation and position of Data Protection Officers (DPOs). The investigation involved 25 Data Protection Authorities (DPAs) across the European Economic Area, including the European Data Protection Supervisor, and aimed to evaluate the challenges faced by DPOs. While acknowledging encouraging aspects, such as DPOs possessing necessary skills and defined tasks, the report highlights persistent challenges including insufficient resources, lack of independence, and incomplete task delegation.
The EDPB report from its most recent plenary sets out a list of gaps and obstacles faced by data protection officers. The EDPB's findings are helpful in informing organisations' priorities in relation to their own DPO-related obligations. In addition to the EU GDPR requirements referred to in this report, there are country-specific requirements relating to DPOs in certain EU Member States (such as Germany and Spain) and requirements under other laws that international groups will need to comply with.
Background to the report
October 2020: EDPB set up a "Coordinated Enforcement Framework (CEF)" aiming to streamline enforcement and cooperation among supervisory authorities
2021: first CEF conducted on the Use of Cloud Services by Public Bodies
September 2022: second CEF conducted on the Designation and Position of Data Protection Offices
2023: Supervisory Authorities (SAs) across the EEA launched coordinated investigations into the role of DPOs. The CEF was implemented at a national level in one or several of the following ways: (1) fact-finding exercise, (2) questionnaire to identify if a formal investigation is warranted, (3) commencement of a formal enforcement investigation or follow-up of ongoing formal investigations. Various organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors (both public and private entities), and more than 17,000 replies were received and analysed. Extensive data was collected offering valuable insights into the profile, position and work of DPOs 5 years after the entry into application of the GDPR.
- November 2022-February 2023: Supervisory Authorities discussed the aims and means of their actions in the context of the CEF.
The report was adopted on 16 January 2024 and it aggregates the findings of all the SAs participating in the CEF and is the result of an EU-wide coordinated investigation.
Summary of the report and its findings
The report lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role. Some of the issues highlighted by the report include insufficient resources allocated to DPOs, insufficient expert knowledge and training of DPOs and risks of conflicts of interest.
The report provides a list of recommendations that organisations, DPOs and SAs can take to address the challenges identified:
Absence of designation of a DPO, even if mandatory
More initiatives by SAs to raise awareness among organisations regarding their obligation to designate a DPO.
Further guidance from SAs on the applicable requirements to designate a DPO, further awareness campaigns to promote existing guidance on this topic and enforcement actions can be part of the solution to educate controllers and processors.
Insufficient resources allocated to DPO
More initiatives and actions by SAs could incentivise organisations' management to dedicate more resources to DPOs and their team.
Controllers and processors must be performing an appropriate, case-by-case analysis of what resources a DPO needs.
Controllers and processors must carefully verify that the DPO has sufficient resources to properly exercise their functions.
Further guidance from SAs as well as additional training materials could help DPOs to navigate complex issues and save time.
Insufficient expert knowledge and training of DPO
SAs and/or the EDPB could provide further guidance and training sessions for DPOs.
Controllers and processors should ensure that they are documenting their organisations' knowledge and training needs and progress.
Controllers and processors should ensure that DPOs are given sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments, including, if it is relevant to their activities, on new EU digital and AI-related legislation.
Increased use of certification mechanisms and initiatives where relevant.
DPOs not being fully or explicitly entrusted:
with the tasks required under GDPR.
More initiatives and actions by SAs could incentivise controllers and processors to maintain a proper separation between, on the one hand, the controller/processor obligations and, on the other, the DPO's own obligations and duties as set out under the GDPR.
Controllers should make sure to promote the role of their DPO internally.
Controllers should work together with their DPOs to build up their roles in an appropriately comprehensive and independent way.
SAs could include DPOs and/or their opinions in a structural fashion into the SA's processes when contacting a controller and/or processor, which will help to enable and promote DPOs in their roles.
bAll stakeholders should promote the role of the DPO within organisations to ensure that the DPO is seen as necessary and given effective support.
SAs can support and encourage initiatives to protect and enhance a DPO's independence regardless of the form of the contract under which they perform their function, so that DPOs feel safe to fulfil all aspects of their role.
Controllers and processors should ensure that they are actively reviewing and (where necessary) improving the DPO's involvement within the organisation.
Conflict of interests and lack of independence of DPO
More initiatives and actions by SAs could verify that controllers and processors have appropriate safeguards in their procedures to ensure that the DPO is not responsible for carrying out tasks that lead to a conflict of interests.
More awareness-raising activities, information and enforcement actions on the independence of the DPO could be envisaged (including on the prohibition on penalising and dismissing DPOs for performing their DPOs' tasks), either by SAs or internally by organisations themselves.
Organisations and DPOs could formalise the DPO duties and conditions for performing the DPO's duties in an 'engagement letter'.
DPOs should be able to collect evidence in the event of interferences with their independence.
Lack of reporting by DPO to organisations’ highest management level
The legal obligation to have the DPO report to the organisation's highest management level may benefit from further guidance to help controllers and processors implement it in practice.
SAs/the EDPB could adopt 'best practise'-based recommendations or/and a template for DPO reporting (e.g. for at least annual reporting), setting out modular and adaptable content to take into account the specificities of the organisations and the industry.
SAs could initiate more actions and initiatives with respect to the direct access of the DPO to top management, which is an important guarantee of the independence of the DPO.
Additional data protection authority guidance
In addition to the existing guidance at national and EEA levels, further guidance could help empower DPOs and address some of the challenges identified above.
The Guidelines on DPOs should be developed further based on the survey results.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
