The European Data Protection Board coordinated enforcement action for 2023 specifically targets the designation and position of data protection officers. This initiative involves the active participation of 26 European data protection authorities. To ensure DPOs meet the requirements set out in Articles 37-39 of the EU General Data Protection Regulation and possess the necessary resources to carry out their responsibilities effectively, the participating DPAs will implement the Coordinated Enforcement Framework at the national level, employing the following methods by:
- Sending questionnaires to DPOs to facilitate fact-finding exercises or determine the need for formal investigations.
- Initiating formal investigations when deemed necessary.
- Conducting follow-ups on ongoing formal investigations.
Two years ago, we summarized key aspects of relevant decisions outlined by European DPAs on the role of the DPO. Here are five takeaways from the article:
- In addition to appointing the DPO to the competent supervisory authority, one organization should notify the other supervisory authority where there are other branches of the organization, despite the consistency mechanism.
- DPOs are not allowed to engage in a role as the controller's representative before the supervisory authority, as this could jeopardize the autonomy or independence of the DPO.
- It is not possible to hire a company as an outsourced DPO and have it also hire an external individual to perform this role.
- An organization with a data protection committee does not replace the obligation of appointing one DPO.
- If the DPO is selected to serve as head of compliance, audit and risk management, the autonomy or independence of the role may be compromised. This should be analyzed case by case.
Given the EDPB's selection of DPOs as the focal point for their coordinated enforcement action in 2023, it is crucial to revisit how DPAs evaluate the performance of this role. In order to assist privacy professionals in enhancing their programs, we have carefully reviewed and selected new decisions on this topic.
Conflicts of interest
Managing director as the DPO
Country: Germany
Issue date: 20 Sept. 2022
A fine of 525,000 euros was imposed on an e-commerce retail group for violating Article 38(6) of the GDPR since the DPO was not acting with the necessary autonomy and independence. In this case, the DPO was also a managing director of two subsidiaries responsible for processing data for the main company. This resulted in a situation where the DPO should monitor compliance with processing activities carried out by a data agent where he was the final decision maker. In the DPA's words, this individual made "substantial decisions regarding the data processing activities on those companies."
Link
Alternative DPO to solve conflict of interest
Country: Luxembourg
Issue date: 13 Oct. 2021
Luxembourg's National Commission for Data Protection audited a private company and found the controller had appointed a DPO who had additional tasks and duties that could result in a conflict of interest with its role.
The authority reinforced that the DPO cannot exercise a function within the same company, allowing them to determine the purposes and means of processing personal data, in this case, as part of their duties as head of compliance.
In its defense, the company explained the processing activity would be endorsed and countersigned by the hierarchical superior of the DPO. This measure, however, was not considered efficient, and the authority recommended the appointment of an alternative DPO to be responsible for the processing activities from the compliance.
The company then appointed the chief risk officer as an alternative DPO for the data processing activities of the compliance department to avoid any future conflict of interest. However, the company received a fine because it implemented the mitigation measure during the investigation.
Link
Too many layers between DPO and top management
Country: Luxembourg
Issue date: 27 Oct. 2021
In 2018 the Luxembourg CNPD launched a task force to audit how companies implemented the DPO function. In a specific case, the authority identified a company in which the DPO reported to the head of risk management and internal audit department, which reported to the general services director and then to the top management, meaning there were two hierarchical layers between the DPO and executive level. Even though the DPO had regular meetings with the board, the CNPD considered the company's inability to demonstrate that the DPO could directly access the highest level of management as an infringement of Article 38(3) of the GDPR.
Link
Red flags for appointing an external DPO
Country: Luxembourg
Issue date: 15 Oct. 2021
In two different cases, the CNPD indicated three noncompliance situations regarding external DPOs:
- The external DPO could not voluntarily intervene but only acted when requested to do so by the controller.
- The role of the external DPO must be formalized in the form of a control plan or monitoring procedures to ensure it can advise and accompany the organization for data protection compliance effectively.
- The controller needs to allocate the necessary resources to the external DPO for the latter to carry out their tasks.
DPOs can be dismissed without violating the GDPR
Country: France
Issue date: 21 Oct. 2022
Confirming the decision issued by France's DPA, the Commission nationale de l'informatique et des libertés, in 2021, the Counsel of State said DPOs could be dismissed if they no longer possess the professional qualities required or fail to fulfill their duties under the GDPR. In a case involving a company's dismissal of its DPO, the CNIL considered whether the dismissal was due to shortcomings in the DPO's performance or a breach of GDPR provisions. The company argued the DPO did not fully meet the requirements of their position, citing issues such as lack of response to requests, noncompliance with internal processes and taking absence leave without notification. After examining the information, the CNIL found no evidence of a breach of GDPR provisions and ruled the dismissal was lawful.
Link
Recent decisions by European DPAs have provided valuable insight into the role and responsibilities of data protection officers under the GDPR. These decisions emphasize the importance of autonomy and independence, conflict of interest management, direct access to top management, and appropriate measures for external DPOs. Furthermore, the dismissal of a DPO is permissible if they fail to meet professional standards or fulfill their duties per the GDPR. As the EDPB focuses on DPOs for its coordinated enforcement action in 2023, privacy pros should consider these decisions when developing and maintaining their data protection programs to ensure compliance and avoid potential fines or sanctions.