Data protection officers could be "solicited" by their data protection authority in the "weeks and months to come" as part of the European Data Protection Board’s freshly launched 2023 coordinated enforcement action, Deputy Head of the EDPB Secretariat Gwendal Le Grand told DPOs at the IAPP Data Protection Intensive: France 2023.
LeGrand's warning comes as the EDPB announced Wednesday that 26 data protection authorities will participate throughout the year in the coordinated action, focused on the designation and position of data protection officers. In this second initiative under the Coordinated Enforcement Framework, DPAs will seek to gauge whether DPOs have the organizational position required by Articles 37-39 of the EU General Data Protection Regulation and the resources needed to conduct their work.
IAPP research indicated more than 500,000 organizations have registered DPOs across Europe under the GDPR. The CEF announcement follows a Feb. 9 ruling by the Court of Justice of the European Union that DPOs can maintain other tasks and duties within their role, if they do not result in a conflict of interest.
"The idea is not to make DPOs' life more difficult, but to ensure they have the means to work properly in their organization," Le Grand said.
Participating DPAs could send questionnaires to DPOs to help in a "fact-finding exercise" or to "identify if a formal investigation is warranted," the EDPB said, and could subsequently conduct a formal investigation and/or follow-up of ongoing investigations.
The results will be analyzed "in a coordinated manner" and DPAs "will decide on possible further national supervision and enforcement actions," the EDPB said, adding it will publish a report on the outcome of the analysis.
"As intermediaries between DPAs, individuals and the business units of an organization, data protection officers have an essential role in contributing to compliance with data protection law and promoting effective protection of data subject rights," the EDPB said.
The EDPB did not list all participating DPAs, but Spain's DPA, the Agencia Española de Protección de Datos, said it will be analyzing "the practices of more than 30,000 public and private sector entities" as part of the CEF.
The AEPD said questionnaires from participating authorities will include "questions related, among others, to the designation, knowledge and experience of the DPOs, their tasks and resources or their role and position in their respective organizations."
Bavaria's Bayerisches Landesamt für Datenschutzaufsicht, Croatia's Personal Data Protection Agency, the Czech Republic's Úřad pro ochranu osobních údajů, France's Commission nationale de l'informatique et des libertés, Finland's Office of the Data Protection Ombudsman, and Portugal's National Data Protection Commission also announced participation in the CEF.
"Organizations have an obligation to ensure that the statutory position of the data protection officer is fulfilled," Finland’s Data Protection Commissioner Anu Talus said. "The data protection officer must, among other things, have the opportunity to report directly to senior management."
While data protection authorities consider the DPO role a crucial factor in GDPR compliance, Fieldfisher Partner Tim Van Canneyt, CIPP/E, said many organizations are still "coming to grips with the role that their DPO should play," while some combine the role with other functions within the organization, which could create issues around conflicts of interest.
"I believe that the EDPB will use this coordinated enforcement action to get a better understanding of the current state of play in view of clarifying their expectations in terms of resources that a DPO should have at its disposal and the issue of conflicts," he said. "I do expect that this will result in a number of sanctions. They will likely not admit it, but I think many DPOs will welcome this initiative as it will help them in their — sometimes difficult — discussions with senior management about resources."
Olympus Europe DPO Stefan Limbacher, CIPP/E, CIPM, said he welcomes "reasonable enforcement of privacy regulations as long as it promotes privacy in its core," and in particular, welcomes enforcement coordinated on a European level "to promote the harmonization of the European privacy landscape."
Analyzing how companies are set up to meet the GDPR's DPO requirements "is a natural starting point for many interesting questions with regard to enforcement," he said.
The IAPP's Isabelle Roccia and Joseph Duball contributed to the reporting in this article.
The IAPP Resource Center includes the DPO Toolkit, which features sample job descriptions, research on how much training is required of a DPO to get baseline GDPR knowledge, among others.
If you want to comment on this post, you need to login.