Coordinated Enforcement Action, Designation and Position of Data Protection Officers

17 January 2024
Designation and Position of Data Protection Officers 1.1MB
Appendix: National Reports on the Coordinated Enforcement Framework (CEF) Data Protection Officer (DPO) 2.2MB
Appendix: Statistics (xlsx) 241.8KB
Members:

Press release

EDPB identifies areas of improvement to promote the role and recognition of DPOs

17 January 2024

Brussels, 17 January - During its latest plenary, the EDPB adopted a report on the findings of its second coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs). The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role. 

Anu Talus, EDPB Chair said: “The Coordinated Enforcement Framework (CEF) enables data protection authorities (DPAs) to cooperate more closely on selected topics in order to achieve better efficiency and more consistency. DPOs play an important part in contributing to compliance with data protection law and promoting effective protection of data subject rights. Through the CEF, DPAs investigated whether DPOs have the means to fulfil their tasks, as required by the GDPR. The report provides an analysis of the challenges faced by DPOs, along with points of attention and recommendations to address these challenges.”

In the course of 2023, 25 DPAs across the European Economic Area (EEA) (including the EDPS) launched coordinated investigations into this topic. Various organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors (both public and private entities), and more than 17,000 replies were received and analysed. Extensive data was collected offering valuable insights into the profile, position and work of DPOs 5 years after the entry into application of the GDPR. 

Despite some concerns and challenges faced by some DPOs  (such as the lack of designation of a DPO, even if mandatory; insufficient resources or expert knowledge for the DPO; DPOs not being fully entrusted with the tasks required under data protection law; lack of independence or of reporting to the highest management), the results are encouraging. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular trainings; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. In addition, they indicate that they are consulted in most cases, and provided with sufficient information to fulfil their tasks, and their opinions are followed quite well. Moreover, most consider that they have the means to do their job. However, there are still too many DPOs who are not in such a position. 

In order to address the challenges identified, the report lists some recommendations for organisations, DPOs and DPAs to strengthen DPOs’ independence and to guarantee that they have the necessary resources to carry out their tasks. Among others, the report encourages DPAs to carry out more awareness-raising activities, information and enforcement actions. The report also encourages organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments.

The report is accompanied by two appendices: the statistics gathered during this action and the national reports of each participating DPA.

The CEF is a key action of the EDPB under its 2021-2023 Strategy, aimed at streamlining enforcement and cooperation among DPAs. The CEF 2024 action will be on the implementation of the right of access by data controllers.

 

Further information on national designation and position of DPO: