Coordinated Enforcement Action, Designation and Position of Data Protection Officers

Brussels, 17 January - During its latest plenary, the EDPB adopted a report on the findings of its second coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs). The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role. 

Anu Talus, EDPB Chair said: “The Coordinated Enforcement Framework (CEF) enables data protection authorities (DPAs) to cooperate more closely on selected topics in order to achieve better efficiency and more consistency. DPOs play an important part in contributing to compliance with data protection law and promoting effective protection of data subject rights. Through the CEF, DPAs investigated whether DPOs have the means to fulfil their tasks, as required by the GDPR. The report provides an analysis of the challenges faced by DPOs, along with points of attention and recommendations to address these challenges.”

In the course of 2023, 25 DPAs across the European Economic Area (EEA) (including the EDPS) launched coordinated investigations into this topic. Various organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors (both public and private entities), and more than 17,000 replies were received and analysed. Extensive data was collected offering valuable insights into the profile, position and work of DPOs 5 years after the entry into application of the GDPR. 

Despite some concerns and challenges faced by some DPOs  (such as the lack of designation of a DPO, even if mandatory; insufficient resources or expert knowledge for the DPO; DPOs not being fully entrusted with the tasks required under data protection law; lack of independence or of reporting to the highest management), the results are encouraging. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular trainings; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. In addition, they indicate that they are consulted in most cases, and provided with sufficient information to fulfil their tasks, and their opinions are followed quite well. Moreover, most consider that they have the means to do their job. However, there are still too many DPOs who are not in such a position. 

In order to address the challenges identified, the report lists some recommendations for organisations, DPOs and DPAs to strengthen DPOs’ independence and to guarantee that they have the necessary resources to carry out their tasks. Among others, the report encourages DPAs to carry out more awareness-raising activities, information and enforcement actions. The report also encourages organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments.

The report is accompanied by two appendices: the statistics gathered during this action and the national reports of each participating DPA.

The CEF is a key action of the EDPB under its 2021-2023 Strategy, aimed at streamlining enforcement and cooperation among DPAs. The CEF 2024 action will be on the implementation of the right of access by data controllers.

Further information on national designation and position of DPO:

• AT DPA: Bekanntmachungen der Datenschutzbehörde - ORF-Beitrag (vormals: GIS-Rundfunkgebühren)
• BE DPA: La place du DPO : rapport de l’EDPB et observations de l’APD (fr), De positie van de DPO: rapport van de EDPB en opmerkingen van de GBA (nl), The role of the DPO: EDPB report and BE DPA comments (en)
• CY DPA: Αποτελέσματα της συντονισμένης δράσης του Ευρωπαϊκού Συμβουλίου Προστασίας Δεδομένων (ΕΣΠΔ) σχετικά με τον ρόλο των Υπευθύνων Προστασίας Δεδομένων (ΥΠΔ)
• CZ DPA: EDPB šetřil postavení pověřenců pro ochranu osobních údajů 
• DA DPA: EDPB vedtager rapport om databeskyttelsesrådgiverens rolle
• DE DPA, BayLDA - Das Bayerische Landesamt für Datenschutzaufsicht: Europaweite Prüfung zu Stellung und Aufgaben von Datenschutzbeauftragten ergibt gemischte Bilanz
• EDPS: EDPS publishes results of the Coordinated Enforcement Action on data protection officers
• EL DPA: Ολοκληρώθηκε η συντονισμένη δράση των εποπτικών Αρχών για τον ρόλο των Υπευθύνων Προστασίας Δεδομένων – Σε εξέλιξη οι έλεγχοι σε δημόσιους φορείς από την Αρχή
• ES DPA: Resultados de la acción europea que ha analizado la designación y situación de los delegados de protección de datos
• FI DPA: Euroopan tietosuojaneuvosto julkaisi raportin tietosuojavastaavien asemaa koskevasta selvityksestä – moni tietosuojavastaava kohtaa edelleen haasteita tehtävässään
• FR DPA: Rôle et moyens du délégué à la protection des données : bilan des contrôles de la CNIL (FR), The role and resources of the data protection officer: results of CNIL investigations (EN)
• HU DPA: Közlemény az Európai Adatvédelmi Testület által a 2023. évre prioritásként meghatározott, az adatvédelmi tisztviselők szerepére fókuszáló összehangolt intézkedés eredményéről 
• IT DPA: Il Comitato europeo per la protezione dei dati identifica le aree di miglioramento per promuovere il ruolo e il riconoscimento dei RPD 
• LT DPA: Valstybinė duomenų apsaugos inspekcija atliko patikrinimus dėl duomenų apsaugo pareigūnų
• LV DPA: Noslēgusies pārbaude par datu aizsardzības speciālista institūtu
• NL DPA: Europees onderzoek: positie FG moet beter
• PT DPA: Comité Europeu aprova relatório sobre o papel dos EPD
• PL DPA: Wyznaczanie i pozycja inspektorów ochrony danych - sprawozdanie EROD z badań CEF 
• SI DPA: Pooblaščene osebe za varstvo osebnih podatkov: izsledki usklajene skupne akcije nadzora
• SE DPA: EDPB publicerar rapport om dataskyddsombudens roll och ställning