In 2023, The European Data Protection Board (EDPB) will continue its coordinated enforcement action (CEF) on the subject of designation and position of data protection officers (DPOs). Throughout the year, 26 Data Protection Authorities (including European Data Protection Supervisor) will take part in the CEF 2023 on the designation and position of data protection officers (DPOs).

As intermediaries between DPAs, individuals and the business units of an organisation, data protection officers have an essential role in contributing to compliance with data protection law and promoting effective protection of data subject rights.

To gauge whether DPOs have the position in their organisations required by Art. 37-39 GDPR and Chapter 6 of the Personal Data Protection Act and the resources needed to carry out their tasks, participating DPAs will implement the CEF at national level in a number of ways:

• DPOs will be sent questionnaires to aid fact-finding exercise or questionnaires to identify if a formal investigation is warranted;
• commencement of a formal investigation;
• follow-up of ongoing formal investigations.

The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis once the actions are concluded.

This series of actions is the second initiative under the Coordinated Enforcement Framework (CEF), which aims to streamline enforcement and cooperation among Data Protection Authorities (DPAs). In 2022, the topic of choice was the use of cloud services by the public sector. 

A report on the findings of this first CEF initiative was published on 18 January 2023 and is available on the following website:

• Coordinated Enforcement Action, use of cloud-based services by the public sector

For further information:

• Slovenian SA: Začetek usklajene skupne akcije nadzora glede vloge pooblaščenih oseb za varstvo podatkov (SI)

• EDPB press release: Launch of coordinated enforcement on role of data protection officers

   

• This initiative is launched in the framework of the European Data Protection Board and aims to assess the position of DPOs in their organisations.
• The Spanish Data Protection Agency will analyse the practices of more than 30,000 public and private sector entities

15 March 2023 - The Spanish Data Protection Agency (AEPD) participates in a coordinated European action to analyse the designation and position of data protection delegates (DPDs) in public and private entities, within the framework of coordinated actions of the European Data Protection Board (EDPB) planned in 2023.

The figure of the Data Protection Officer plays a key intermediary role between Supervisory Authorities, citizens and organisations, and plays a key role in contributing to compliance with data protection regulations and to promoting effective protection of the rights of data subjects.

Therefore, the objective of this preventive action — involving the 27 Data Protection Authorities of the European Union, as well as those of Iceland, Liechtenstein and Norway — is assessing whether the position of DPOs within their organisations complies with the requirements of the General Data Protection Regulation.

The AEPD will analyse the practices of more than 30,000 public and private sector entities. For private sector entities, the questionnaire will take into account different sectors of activity: education, banking and financial institutions, health, energy sector, security, telecommunications services, equity and credit solvency, and activities related to gambling and betting. The participating authorities shall submit a questionnaire that includes questions related, inter alia, to the designation, knowledge and experience of the DPOs, their tasks and resources or their role and position in their respective organisations.

The results of this action will be analysed in a coordinated manner and the Authorities may decide on possible additional supervisory and implementation actions in their respective countries. In addition, the results will be aggregated, generating a broader view and allowing specific monitoring in the field of the European Economic Area. Finally, the Committee will publish a report on the outcome of this analysis once the actions have been completed.

This initiative is part of the Committee’s Coordinated Enforcement Framework (CEF), which follows the one carried out in 2022 that analysed the use of cloud services by the public sector.

For further information:

• Spanish SA: La AEPD participa en una acción europea coordinada para analizar la designación y situación de los delegados de protección de datos (ES)

• Launch of coordinated enforcement on role of data protection officers

   

Budapest, 20 March 2023 - The European Data Protection Board (EDPB) has started its 2023 coordinated enforcement action under the Coordinated Enforcement Framework (CEF) focusing on the role of data protection officers.

Data protection officers have an essential role in contributing to compliance with data protection law and promoting effective protection of data subjects. In this role, they can essentially be considered as external resources of the supervisory authorities and protecting their position also promotes the effective application of the General Data Protection Regulation (hereinafter: GDPR)¹. The aim of the coordinated enforcement action is to gain deeper insight into the designation process and legal status of data protection officers.

To assess whether the designation, legal status and tasks of the data protection officers are in accordance with Art. 37-39 GDPR and they have the resources needed to carry out their tasks, the supervisory authorities participating in the coordinated enforcement action may

•  collect information, which may be followed by a formal investigation if appropriate;
•  commence formal investigations;
•  channel the coordinated enforcement action into ongoing formal investigations.

The Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) is participating in the 2023 coordinated enforcement action and intends to assess the situation of the data protection officers in the national public sector, given that public authorities and other bodies performing public duties, except for courts acting in their judicial responsibilities shall designate a data protection officer in any case pursuant to Art. 37 1. (a) GDPR².

The Authority intends to implement the CEF in the way of sending questionnaires compiled by the experts of the supervisory authorities, and asking the data protection officers of several data controllers in the public sector to fill them out by the end of March.

The questionnaire is not related to a formal procedure. Acting within the scope of its duties defined in Art. 57.1. (a) and (v) GDPR, the aim of the Authority is to obtain a comprehensive picture of the current situation of data protection officers in the public sector³.

15 March 2023 - The European Data Protection Board (EDPB) launches today the second coordinated supervisory action of data protection authorities, which will focus this year on the designation and position of Data Protection Officers (DPOs).

As intermediaries between data protection authorities, individuals and organisations, DPOs play an essential role in ensuring better compliance of organisations with data protection law and in promoting effective protection of data subjects’ rights.

The coordinated enforcement action (CEF) for 2023 involves 26 data protection authorities from the European Economic Area (EEA), including the CNPD. The main objective of this year’s CEF is to learn more about the role played by DPOs in organisations, whether they hold the position required by Articles 37 to 39 of the GDPR and whether they have the necessary resources to carry out their tasks.

This action is done through a common matrix questionnaire so that the responses obtained are analysed in a coordinated manner and the results aggregated and subject to a final report by the EDPB.

At national level, the CNPD will contact directly, during the next week, DPOs notified to the Commission by all public and private organisations to participate voluntarily in this action and to reply to the CEF 2023 questionnaire.

This will not be an investigative action, as the CNPD first wants to have a deeper understanding of the role of DPOs in organisations so that it can also find ways to better support their work. In this respect, it is of utmost importance, and also in the interest of DPOs, that they have a strong involvement in the response to this questionnaire. To ensure a higher response rate, the DPO does not have to provide his/her identification nor to identify the organisation concerned.

In 2022, when the first CEF action took place, the topic of election was the use of cloud based services by the public sector, in which the CNPD also participated. A report on the results of this CEF initiative, containing recommendations for public authorities, was adopted by the European Committee in January this year.

For further information:

• Portuguese SA: O papel dos EPD no centro da ação coordenada ue para 2023 (PT)
• Press releases by the EDPB and other national data protection authorities on joint supervision

The European Data Protection Board, the EDPB, has now launched a coordinated action to examine the role and position of data protection officers. 26 data protection authorities in Europe will be involved in the action.

According to the General Data Protection Regulation (GDPR), public authorities and certain businesses are obliged to appoint a data protection officer (DPO). The role of the DPO is to contribute within the organisation to the compliance with data protection legislation and to promote effective protection of individuals’ rights.

The EDBP has now launched a coordinated action to assess whether the DPOs have the role and position required by Articles 37-39 GDPR and the resources needed to carry out their tasks. The coordinated action involves 26 European data protection authorities, including the Swedish Data Protection Authority (IMY).

Each national data protection authority chooses whether the coordinated action should be carried out, for example, in the form of a survey or a supervision.

IMY plans to perform supervision against a number of organisations as its part of the coordinated action. This work is currently in the planning stage and IMY will provide more information once this initial work is done.

The results of the national measures will be aggregated and analysed to provide deeper insights into the topic and allow targeted follow-up at EU level. The EDPB will publish a report of this analysis.

This is the second coordinated action implemented by the EDPB. The first measure concerned a joint inquiry into the use of cloud services by public authorities.

For further information:

• Swedish SA: Samordnad undersökning av dataskyddsombudens roll (SV)
• Press releases by the EDPB and other national data protection authorities on joint supervision