On March 15, 2023, the European Data Protection Board (“EDPB”) – the body through which the EU Member States’ Supervisory Authorities cooperate – along with 26 EU Supervisory Authorities officially launched a “coordinated enforcement action”, focusing on the designation of Data Protection Officers (“DPOs”) under the EU GDPR, and the position that DPOs hold in the organizations that appoint them.
To gauge whether DPOs’ roles align in practice with the requirements set out in the EU GDPR, participating EU Supervisory Authorities may, for example, send questionnaires to organizations that have appointed a DPO, as a fact-finding exercise and to determine whether a formal investigation is warranted. Ultimately, EU Supervisory Authorities may decide to take further regulatory action against organizations in non-compliance with the EU GDPR’s rules (e.g., by imposing administrative fines).
At the beginning of each year, the EDPB and participating EU Supervisory Authorities decide to “join forces” and coordinate their activities, ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations. The purpose of these recurring annual coordinated actions is to promote compliance, empower individuals to exercise their rights under the EU GDPR, and to raise general awareness around privacy and data protection. This year, the focus is on whether DPOs have been properly appointed, and whether they are able to exercise their roles in accordance with the EU GDPR.
The EU GDPR requires organizations to appoint a DPO where certain criteria are met, such as:
- Where their core activities involve regular and systematic monitoring of individuals on a large scale; or
- Where their core activities involve large-scale processing of sensitive personal data (such as health data).
The EU GDPR also contains strict rules about the role of the DPO. For example, the DPO must:
- Be able to independently monitor the organization’s EU GDPR compliance and should not be assigned with tasks or duties that may give rise to conflicts of interest. This means that the DPO may not be able to hold certain roles within the organization, such as senior management, or head of department positions that involve determining how and why the organization processes personal data;
- Be able to report directly to the highest level of management. The DPO should be involved at an early stage in connection with issues relating to data protection, and should be part of working groups or teams within the organization dealing with data processing activities; and
- Have “expert knowledge of data protection law and practices” and be given access to appropriate resources (such as infrastructure, access to training, and sufficient time to fulfil their duties).
Due to the challenges of appointing a DPO internally, many organizations prefer to designate an external DPO (e.g., outside counsel or a privacy consultant).
What is next?
Although all of the relevant EU Supervisory Authorities will conduct their assessments based on a common methodology, it will be up to each Authority to decide on possible enforcement actions.
The focus of each EU Supervisory Authority’s enforcement action may also vary across different EU Member States. For example, the Spanish Supervisory Authority has stated that it will specifically examine companies in the banking and finance, health, energy, security, and telecommunications sectors, whereas the Belgian Supervisory Authority and the Bavarian Supervisory Authority in Germany have indicated a focus on potential conflicts of interests of DPOs, in addition to the question whether DPOs adequately engage with the organization’s highest levels of management.
Once the coordinated enforcement activities are concluded, the EDPB will publish a report on the findings (by aggregating the feedback from the 26 participating EU Supervisory Authorities).
What can companies do?
The decision to launch a coordinated enforcement action focusing on the role of the DPO suggests that Supervisory Authorities across the EU are concerned about organizations’ lack of compliance with the relevant requirements of the EU GDPR. Companies subject to the EU GDPR should therefore make sure that:
- They have duly assessed whether or not their activities trigger the requirement to appoint a DPO (and that they have documented that assessment);
- Where appropriate, they have designated a DPO (whether through an internal appointment, or via a third-party service provider);
- The DPO’s position and role reflect the requirements of the EU GDPR;
- The DPO is provided with the resources, training, and support – including from outside counsel – needed to perform its duties in accordance with the EU GDPR; and
- They have implemented internal processes to avoid conflicts of interests involving the DPO.
Even where it is not legally required, companies may also wish to consider appointing a DPO on a voluntary basis to assist with the company’s EU GDPR compliance efforts. However, it is important for such companies to be aware that in that case the EU GDPR’s full set of rules on the role of the DPO will apply; the EU GDPR does not provide for a less stringent regime that applies in the case of voluntary DPO designation.
The EDPB’s announcement on the launch of the coordinated enforcement action can be read here.