COORDINATED ENFORCEMENT ACTION – DESIGNATION AND FUNCTION DATA PROTECTION OFFICERS
By Mugurel Olariu, RPD protectie date
The European Data Protection Board- EDPB, adopted a report*1 which presents the status of GDPR application regarding the appointment and function of Data Protection Officers.
In summary, we state that in October 2020, the EDPB decided to establish a coordinated law enforcement framework (CEF) in order to streamline enforcement and cooperation between supervisory authorities, in accordance with the EDPB Strategy 2021-2023. A first CEF was carried out in 2021 on the use of cloud services by public bodies.
For the second CEF, the EDPB selected in September 2022 “Designation and position of data protection officers” for its 2023 coordinated enforcement action.
During 2023, 25 supervisory authorities (“SA’s”) in the EEA*2, have launched coordinated investigations into the role of data protection officers (“DPO’s”). The CEF has been implemented nationally in one or more of the following ways: (1) fact-finding exercise, (2) questionnaire to identify whether a formal investigation is warranted, and/or (3) initiation of a formal enforcement investigation ; or following formal ongoing investigations.
Between November 2022 and February 2023, these supervisory authorities discussed the objectives and means of their actions in the context of the CEF. In this context, the SA’s have developed a questionnaire in a neutral way, so that it is possible for either the operator/processor or the DPO to complete it.
While doing this, they ensured that it would be possible for SA to adjust the questionnaire or develop their own questionnaire, based on (or inspired by) the commonly developed questionnaire. This report brings together the findings of all supervisory authorities participating in the CEF. Particular attention is paid to challenges identified by supervisory authorities and/or respondents during the CEF action.
These include issues such as insufficient resources allocated to DPO, insufficient knowledge and training of DPO experts and risks of conflicts of interest.
This report provides, among other things, a list of recommendations that organizations, DPO’s and/or SA’s can consider to address the challenges identified, without prejudice to GDPR / EUDPR*3 and the powers of supervisory authorities.
The list of recommendations and points of attention are as follows:
➢ Absence of appointing a DPO, even if it is mandatory.
➢ Insufficient resources allocated to DPO.
➢ Insufficient knowledge and training of DPO.
➢ DPO’s are not fully or explicitly entrusted with the tasks required by the GDPR/EUDPR.
➢ Conflict of interest and lack of independence of the DPO.
➢ Lack of reporting by DPO to the highest management level of organizations.
➢ Additional guidance from supervisory authorities.
Some of the actions taken by the supervisory authorities in the CEF are still ongoing at the national level, especially when formal investigations have been launched. Consequently, this document does not constitute a definitive statement of the actions carried out within the CEF and the purpose of this report is not to conclude on the measures to be adopted, but to reflect on the actions taken by the competent supervisory authorities and to identify possible points of improvement. Careful. It may need to be updated during 2024 to take into account the progress of the procedures not yet completed to date and in light of the issues identified, if the Guidelines on Data Protection Officers are further developed by the EDPB.
The report also contains ANNEX 1: NATIONAL REPORTS OF THE SUPERVISORY AUTHORITIES, with Annex 1.1: Results of the consolidated survey of the participating supervisory authorities and Annex 1.2: National reports of the participating supervisory authorities regarding the substantive issues identified and the actions taken at the national level.
In conclusion, despite the shortcomings and concerns identified above, the results of the survey are encouraging. However, the need to strengthen the role and recognition of the DPO – and the need to continue to promote the importance of the role of the DPO – is underlined. In order for the DPO to best ensure compliance with data protection requirements, controllers and data controllers must provide the necessary resources, in terms of training and budget, to enable them to perform their tasks properly. SA’s recognized the added value of the coordinated work within the CEF, reporting that it also served to raise awareness among controllers, data subjects and even DPO’s of the importance and scope of DPO requirements under the GDPR. Many participating SA’s are considering adopting additional guidance on DPR following this CEF. This report represents the status, at the end of 2023, of the CEF’s action on the designation and position of the DPO.
The report provides an overview of the practical approaches and solutions identified, both at the level of the Member States and the European Union, as well as of the controllers and DPO’s surveyed, for the problem under analysis regarding the designation and function of a key actor in the application GDPR – Data Protection Officer.
–––––––––––––––––––––––––––––––––––
*1 https://www.edpb.europa.eu/ourwork-tools/our-documents/other/coordinated-enforcement-action-designation-and-position-data_ro
*2 Austria, Belgium, Cyprus, Czech Republic, Germany, Denmark, EDPS, Estonia, Greece, Spain, Finland, France, Croatia, Hungary, Ireland, Italy, Liechtenstein, Lithuania, Latvia, Malta, Netherlands, Poland, Portugal, Sweden, Slovenia.
*3 Regulation (EU) 2018/1725 of the European Parliament and of the Council of October 23, 2018 regarding the protection of natural persons with regard to the processing of personal data by the institutions, bodies, offices and agencies of the Union and regarding the free movement of such data and repealing Regulation (EC) no. 45/2001 and Decision no. 1247/2002/CE (OJ L 295, 21.11.2018, p. 39). As regards the European Data Protection Authority – EDPS, any reference to “organisations”, “controllers/processors” and – depending on the context – “Member States” should be understood as referring to the institutions, bodies, offices and European Union agencies. In addition, with regard to the AEPD, any reference to the GDPR should be understood as corresponding references to the EUDPR, where the latter is not explicitly mentioned. More specifically, Articles 43-45 of Regulation (EU) 2018/1725 refer to the DPO.