On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU. In particular, the report provides a snapshot of the findings of each supervisory authority (“SA”) on the role of DPOs, with a particular focus on (i) the challenges DPOs face and (ii) recommendations to mitigate and address these obstacles in light of the GDPR. This blog post summarizes the key findings of the EDPB’s 2023 CEF report.
Background
The 2023 CEF was conducted by the EU SAs, each of whom sent a selection controllers and processors in their jurisdictions a pre-agreed questionnaire, in some cases slightly modified from the original, to be completed by their respective DPOs. In a few cases, questionnaires were completed by a member of an organization’s senior management (instead of a DPO).
Key Takeaways
The report highlights the following key findings and makes the following recommendations:
- Insufficient transparency on DPOs. Several SAs noted that a number of organizations did not always publicly disclose or provide their SAs with contact information for their DPOs (e.g., the DPO’s email address; there is no need to include the DPO’s name), which may contravene a data subject’s right to information and ability to access their personal data.
- SAs’ key recommendations: Organizations should ensure that a DPO’s contact details are made available to the public to enable effective communication with data subjects and SAs. They will also need to maintain up-to-date contact information and communicate any changes to data subjects (e.g., in their privacy notice).
- Insufficient resources allocated to DPOs. Several SAs noted that a number of DPOs did not have adequate resources to perform their tasks effectively.
- SAs’ key recommendations: Organizations should ensure that adequate financial and human resources are provided to DPOs, including: (i) completing a survey to determine the organization’s needs, particularly in terms of personnel required to assist the DPO and the type of matters the DPO is or should be involved in; (ii) allocating an independent budget to DPOs that ensures their autonomy; and (iii) providing internal teams to support the DPO. The SAs also endorse training to enable staff to stay up-to-date with the latest privacy developments.
- Insufficient involvement of DPOs in completing privacy-related tasks. Several SAs noted that a number of DPOs did not always have (i) access to information on matters falling within their remit, including data subject access requests (“DSARs”), data breaches, and so forth; and (ii) information regarding why their organizations may have deviated from their recommendations.
- SAs’ key recommendations: DPOs should always be consulted on questions related to data privacy. To this end, organizations should develop and implement internal policies to determine when a DPO’s involvement is necessary (e.g., DSAR, data breaches, etc.), as well as coordinate with other key departments (e.g., HR, Compliance, IT, etc.).
- Insufficient oversight of conflicts of interests, and reporting mechanisms to high-level management. Several SAs noted that a high number of DPOs responded by noting that they can receive instructions regarding the performance of their tasks and/or may have additional roles in the organization that could pose a conflict (in light of Article 38(3) and (6) of the GDPR and recent CJEU’s judgment on DPOs’ conflicts of interests).
- SAs’ key recommendations: Organizations should: (i) raise awareness regarding the DPO’s role and responsibilities; (ii) identify roles that would be incompatible with the function of DPO; and (iii) draw up and circulate internal policies identifying a DPO’s tasks.
What’s next?
Based on the results of the 2023 survey, the EDPB and SAs will develop further guidance and additional tools (e.g., training, workshops, factsheets, etc.). SAs have also indicated that they may launch investigations or sectoral audits on the basis of the information gleaned through the survey.
* * *
Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging compliance issues in the EU and other key markets, including on DPOs’ designation and role and data subjects’ rights. Our team is happy to assist companies in any questions relating to DPOs, on top of any other privacy or cybersecurity-related questions .
(This blog post was written with the contributions of Diane Valat.)