In 2023, The European Data Protection Board (EDPB) will continue its coordinated enforcement action (CEF) on the subject of designation and position of data protection officers (DPOs). Throughout the year, 26 Data Protection Authorities (including European Data Protection Supervisor) will take part in the CEF 2023 on the designation and position of data protection officers (DPOs).

As intermediaries between DPAs, individuals and the business units of an organisation, data protection officers have an essential role in contributing to compliance with data protection law and promoting effective protection of data subject rights.

To gauge whether DPOs have the position in their organisations required by Art. 37-39 GDPR and Chapter 6 of the Personal Data Protection Act and the resources needed to carry out their tasks, participating DPAs will implement the CEF at national level in a number of ways:

• DPOs will be sent questionnaires to aid fact-finding exercise or questionnaires to identify if a formal investigation is warranted;
• commencement of a formal investigation;
• follow-up of ongoing formal investigations.

The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis once the actions are concluded.

This series of actions is the second initiative under the Coordinated Enforcement Framework (CEF), which aims to streamline enforcement and cooperation among Data Protection Authorities (DPAs). In 2022, the topic of choice was the use of cloud services by the public sector. 

A report on the findings of this first CEF initiative was published on 18 January 2023 and is available on the following website:

• Coordinated Enforcement Action, use of cloud-based services by the public sector

For further information:

• Slovenian SA: Začetek usklajene skupne akcije nadzora glede vloge pooblaščenih oseb za varstvo podatkov (SI)

• EDPB press release: Launch of coordinated enforcement on role of data protection officers

   

• This initiative is launched in the framework of the European Data Protection Board and aims to assess the position of DPOs in their organisations.
• The Spanish Data Protection Agency will analyse the practices of more than 30,000 public and private sector entities

15 March 2023 - The Spanish Data Protection Agency (AEPD) participates in a coordinated European action to analyse the designation and position of data protection delegates (DPDs) in public and private entities, within the framework of coordinated actions of the European Data Protection Board (EDPB) planned in 2023.

The figure of the Data Protection Officer plays a key intermediary role between Supervisory Authorities, citizens and organisations, and plays a key role in contributing to compliance with data protection regulations and to promoting effective protection of the rights of data subjects.

Therefore, the objective of this preventive action — involving the 27 Data Protection Authorities of the European Union, as well as those of Iceland, Liechtenstein and Norway — is assessing whether the position of DPOs within their organisations complies with the requirements of the General Data Protection Regulation.

The AEPD will analyse the practices of more than 30,000 public and private sector entities. For private sector entities, the questionnaire will take into account different sectors of activity: education, banking and financial institutions, health, energy sector, security, telecommunications services, equity and credit solvency, and activities related to gambling and betting. The participating authorities shall submit a questionnaire that includes questions related, inter alia, to the designation, knowledge and experience of the DPOs, their tasks and resources or their role and position in their respective organisations.

The results of this action will be analysed in a coordinated manner and the Authorities may decide on possible additional supervisory and implementation actions in their respective countries. In addition, the results will be aggregated, generating a broader view and allowing specific monitoring in the field of the European Economic Area. Finally, the Committee will publish a report on the outcome of this analysis once the actions have been completed.

This initiative is part of the Committee’s Coordinated Enforcement Framework (CEF), which follows the one carried out in 2022 that analysed the use of cloud services by the public sector.

For further information:

• Spanish SA: La AEPD participa en una acción europea coordinada para analizar la designación y situación de los delegados de protección de datos (ES)

• Launch of coordinated enforcement on role of data protection officers