Last week, the European Data Protection Board launched its 2023 coordinated enforcement action. 26 data protection authorities across Europe are jointly investigating the role of Data Protection Officers in both the public and private sectors. The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) also participates in joint supervision in the form of surveillance.
Data Protection Officers are information intermediaries within data protection authorities, between individuals and business units. They have a significant role ensuring that companies and authorities meet their data protection requirements and effectively protect the rights of individuals.
“The aim of such joint initiative is to understand how effectively Data Protection Officers can do their work and how their role in institutions and companies is perceived,” explained Geili Keppi, lawyer of the Data Protection Inspectorate. “Based on the results, we will be able to map bottlenecks and plan our activities so that we can provide more support to data protection officers in their work. In practice, it is often seen that organisations do not understand the need for data protection officers and therefore it is more difficult for data protection officers to stand up for their views.”
The obligation to appoint a Data Protection Officer, their role and responsibilities are outlined in Section 4 of Chapter 4 of the GDPR. In order to gauge whether data protection officers have a position in organisations that meet the conditions of Articles 37-39 GDPR and have the necessary resources to carry out their tasks, the supervisory authorities participating in the joint initiative will implement a number of measures:
- questionnaires will be sent out and, if necessary, formal investigations are initiated;
- formal investigations are initiated immediately;
- joint supervision is aligned with the ongoing formal investigations.
The data controllers in the selected sectors are targeted. The results of the joint initiative will be analysed in a coordinated manner and the supervisory authorities will decide on possible further national supervisory measures. In addition, results will be aggregated which will provide a more comprehensive overview of the subject and allow for targeted follow-up at European Union level. The European Data Protection Board will publish a report on the outcome of this analysis once the actions are concluded.
The Data Protection Inspectorate shall participate in joint supervision in the form of surveillance. We have selected 19 organisations from both the public and private sectors. For example, we plan to gauge the work of data protection officers in rural municipality and city governments, ministries, banks, hospitals and other institutions," explain Keppi. "Certainly, such a diverse sample gives us a good overview and also raises the value of the results. These are, among other things, organisations that must be especially diligent in ensuring the protection of personal data,” she added.
This is already the second initiative under Coordinated Enforcement Framework (CEF). Such coordinated initiatives aim to strengthen data protection oversight and enhance international cooperation between data protection authorities. In 2022, the subject of a similar joint initiative was the use of cloud services in the public sector. The report on the results of the first Joint European Initiative was published on 18 January 2023.
For further information: