On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU.  In particular, the report provides a snapshot of the findings of each supervisory authority (“SA”) on the role of DPOs, with a particular focus on (i) the challenges DPOs face and (ii) recommendations to mitigate and address these obstacles in light of the GDPR.  This blog post summarizes the key findings of the EDPB’s 2023 CEF report.

Background

The 2023 CEF was conducted by the EU SAs, each of whom sent a selection controllers and processors  in their jurisdictions a pre-agreed questionnaire, in some cases slightly modified from the original, to be completed by their respective DPOs.  In a few cases, questionnaires were completed by a member of an organization’s senior management (instead of a DPO).

Key Takeaways

The report highlights the following key findings and makes the following recommendations:

  • Insufficient transparency on DPOs.  Several SAs noted that a number of organizations did not always publicly disclose or provide their SAs with contact information for their DPOs (e.g., the DPO’s email address; there is no need to include the DPO’s name), which may contravene a data subject’s right to information and ability to access their personal data.
    • SAs’ key recommendations:  Organizations should ensure that a DPO’s contact details are made available to the public to enable effective communication with data subjects and SAs.  They will also need to maintain up-to-date contact information and communicate any changes to data subjects (e.g., in their privacy notice).
  • Insufficient resources allocated to DPOs.  Several SAs noted that a number of DPOs did not have adequate resources to perform their tasks effectively.
    • SAs’ key recommendations:  Organizations should ensure that adequate financial and human resources are provided to DPOs, including: (i) completing a survey to determine the organization’s needs, particularly in terms of personnel required to assist the DPO and the type of matters the DPO is or should be involved in; (ii) allocating an independent budget to DPOs that ensures their autonomy; and (iii) providing internal teams to support the DPO.  The SAs also endorse training to enable staff to stay up-to-date with the latest privacy developments.
  • Insufficient involvement of DPOs in completing privacy-related tasks.  Several SAs noted that a number of DPOs did not always have (i) access to information on matters falling within their remit, including data subject access requests (“DSARs”), data breaches, and so forth; and (ii) information regarding why their organizations may have deviated from their recommendations.
    • SAs’ key recommendations:  DPOs should always be consulted on questions related to data privacy.  To this end, organizations should develop and implement internal policies to determine when a DPO’s involvement is necessary (e.g., DSAR, data breaches, etc.), as well as coordinate with other key departments (e.g., HR, Compliance, IT, etc.).
  • Insufficient oversight of conflicts of interests, and reporting mechanisms to high-level management.  Several SAs noted that a high number of DPOs responded by noting that they can receive instructions regarding the performance of their tasks and/or may have additional roles in the organization that could pose a conflict (in light of Article 38(3) and (6) of the GDPR and recent CJEU’s judgment on DPOs’ conflicts of interests).
    • SAs’ key recommendations:  Organizations should: (i) raise awareness regarding the DPO’s role and responsibilities; (ii) identify roles that would be incompatible with the function of DPO; and (iii) draw up and circulate internal policies identifying a DPO’s tasks.

What’s next?

Based on the results of the 2023 survey, the EDPB and SAs will develop further guidance and additional tools (e.g., training, workshops, factsheets, etc.).   SAs have also indicated that they may launch investigations or sectoral audits on the basis of the information gleaned through the survey.

*           *           *

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging compliance issues in the EU and other key markets, including on DPOs’ designation and role and data subjects’ rights.  Our team is happy to assist companies in any questions relating to DPOs, on top of any other privacy or cybersecurity-related questions .

(This blog post was written with the contributions of Diane Valat.)

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.