Budapest, 20 March 2023 - The European Data Protection Board (EDPB) has started its 2023 coordinated enforcement action under the Coordinated Enforcement Framework (CEF) focusing on the role of data protection officers.
Data protection officers have an essential role in contributing to compliance with data protection law and promoting effective protection of data subjects. In this role, they can essentially be considered as external resources of the supervisory authorities and protecting their position also promotes the effective application of the General Data Protection Regulation (hereinafter: GDPR)1. The aim of the coordinated enforcement action is to gain deeper insight into the designation process and legal status of data protection officers.
To assess whether the designation, legal status and tasks of the data protection officers are in accordance with Art. 37-39 GDPR and they have the resources needed to carry out their tasks, the supervisory authorities participating in the coordinated enforcement action may
- collect information, which may be followed by a formal investigation if appropriate;
- commence formal investigations;
- channel the coordinated enforcement action into ongoing formal investigations.
The Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) is participating in the 2023 coordinated enforcement action and intends to assess the situation of the data protection officers in the national public sector, given that public authorities and other bodies performing public duties, except for courts acting in their judicial responsibilities shall designate a data protection officer in any case pursuant to Art. 37 1. (a) GDPR2.
The Authority intends to implement the CEF in the way of sending questionnaires compiled by the experts of the supervisory authorities, and asking the data protection officers of several data controllers in the public sector to fill them out by the end of March.
The questionnaire is not related to a formal procedure. Acting within the scope of its duties defined in Art. 57.1. (a) and (v) GDPR, the aim of the Authority is to obtain a comprehensive picture of the current situation of data protection officers in the public sector3.
The answers to the questionnaire will be analyzed by the Authority, and the results - in aggregated and extracted form - will be used in the EEA-level report on the designation and legal status of data protection officers.
Dr. habil. Attila Péterfalvi,
President Honorary Professor
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2 Art. 37 GDPR 1.The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
3 Art. 57 GDPR 1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: (a) monitor and enforce the application of this Regulation; (v) fulfil any other tasks related to the protection of personal data.
For further information:
- Hungarian SA: Közlemény az Európai Adatvédelmi Testület által a 2023. évre prioritásként meghatározott, az adatvédelmi tisztviselők szerepére fókuszáló összehangolt fellépés tényleges megkezdéséről (HU)
-
Launch of coordinated enforcement on role of data protection officers