March 2023 saw the launch of the European Data Protection Board’s (EDPB’s) second coordinated enforcement action (CEF 2023), which focused on the designation and position of Data Protection Officers (DPOs). Data Protection Authorities (DPAs) across the EEA have launched coordinated investigations into this topic. In particular, DPA’s have been investigating whether DPOs have the position in their organisations required by Art. 37-39 GDPR and the resources needed to carry out their tasks.
On 17 January 2024, the EDPB adopted a report on the findings of supervisory authorities participating in the CEF 2023. In particular, the report analyses the challenges faced by DPOs and organisations that have designated a DPO, and how these may impact compliance with data protection laws. The report also includes recommendations that organisations, DPO’s and supervisory authorities may take into account to address these challenges.
Challenges faced by DPOs
Although the EDPB’s report recognises positive findings for many DPOs, it concludes that a number of DPOs still face obstacles, including:
- an absence of designation of a DPO, even where appointment is mandatory;
- insufficient resources allocated to the DPO;
- insufficient expert knowledge and training of the DPO;
- DPOs not being fully or explicitly entrusted with the tasks required under data protection law;
- conflict of interests and lack of independence of the DPO; and
- a lack of reporting by the DPO to the organisations’ highest management level; and
- a requirement for further guidance from supervisory authorities.
Recommendations to address these challenges
In order to address the challenges identified, the report lists recommendations for organisations, DPOs and DPAs, these include:
- encouraging DPAs to raise awareness amongst organisations of their obligation to appoint a DPO, through the promotion of existing guidance and enforcement actions, and providing further guidance, additional training materials and training sessions that could help a DPO navigate complex issues; and
- encouraging organisations to ensure DPOs have sufficient resources to properly exercise their function and are given sufficient opportunities, time and resource to refresh their knowledge and learn about the latest developments.
Despite the challenges identified in the report, the EDPB concludes that the overall results of the survey are encouraging, with the majority of DPOs confirming that they receive regular training and have the necessary skills and knowledge to do their job. However, the report emphasises the need to strengthen the role and recognition of DPOs, in order to ensure compliance with data protection laws.
The report also recognises that the role of the DPO seems to be changing in practice, with DPOs being tasked with key roles under new EU legislation – introduced as part of the EU Data Strategy – such as the AI Act, the Digital Services Act, the Digital Market Act and the Data Act. The EDPB concludes that organisations will need to consider how DPOs are tasked, utilised and supported, to ensure that these new roles avoid issues such as conflicts of interests or insufficient resources at the disposal of the DPOs.
The EDPB has confirmed that the CEF 2024 action will focus on the implementation of the right of access by data controllers.