15 March 2023 - The European Data Protection Board (EDPB) launches today the second coordinated supervisory action of data protection authorities, which will focus this year on the designation and position of Data Protection Officers (DPOs).

As intermediaries between data protection authorities, individuals and organisations, DPOs play an essential role in ensuring better compliance of organisations with data protection law and in promoting effective protection of data subjects’ rights.

The coordinated enforcement action (CEF) for 2023 involves 26 data protection authorities from the European Economic Area (EEA), including the CNPD. The main objective of this year’s CEF is to learn more about the role played by DPOs in organisations, whether they hold the position required by Articles 37 to 39 of the GDPR and whether they have the necessary resources to carry out their tasks.

This action is done through a common matrix questionnaire so that the responses obtained are analysed in a coordinated manner and the results aggregated and subject to a final report by the EDPB.

At national level, the CNPD will contact directly, during the next week, DPOs notified to the Commission by all public and private organisations to participate voluntarily in this action and to reply to the CEF 2023 questionnaire.

This will not be an investigative action, as the CNPD first wants to have a deeper understanding of the role of DPOs in organisations so that it can also find ways to better support their work. In this respect, it is of utmost importance, and also in the interest of DPOs, that they have a strong involvement in the response to this questionnaire. To ensure a higher response rate, the DPO does not have to provide his/her identification nor to identify the organisation concerned.

In 2022, when the first CEF action took place, the topic of election was the use of cloud based services by the public sector, in which the CNPD also participated. A report on the results of this CEF initiative, containing recommendations for public authorities, was adopted by the European Committee in January this year.

For further information:

• Portuguese SA: O papel dos EPD no centro da ação coordenada ue para 2023 (PT)
• Press releases by the EDPB and other national data protection authorities on joint supervision

The European Data Protection Board, the EDPB, has now launched a coordinated action to examine the role and position of data protection officers. 26 data protection authorities in Europe will be involved in the action.

According to the General Data Protection Regulation (GDPR), public authorities and certain businesses are obliged to appoint a data protection officer (DPO). The role of the DPO is to contribute within the organisation to the compliance with data protection legislation and to promote effective protection of individuals’ rights.

The EDBP has now launched a coordinated action to assess whether the DPOs have the role and position required by Articles 37-39 GDPR and the resources needed to carry out their tasks. The coordinated action involves 26 European data protection authorities, including the Swedish Data Protection Authority (IMY).

Each national data protection authority chooses whether the coordinated action should be carried out, for example, in the form of a survey or a supervision.

IMY plans to perform supervision against a number of organisations as its part of the coordinated action. This work is currently in the planning stage and IMY will provide more information once this initial work is done.

The results of the national measures will be aggregated and analysed to provide deeper insights into the topic and allow targeted follow-up at EU level. The EDPB will publish a report of this analysis.

This is the second coordinated action implemented by the EDPB. The first measure concerned a joint inquiry into the use of cloud services by public authorities.

For further information:

• Swedish SA: Samordnad undersökning av dataskyddsombudens roll (SV)
• Press releases by the EDPB and other national data protection authorities on joint supervision

Last week, the European Data Protection Board launched its 2023 coordinated enforcement action. 26 data protection authorities across Europe are jointly investigating the role of Data Protection Officers in both the public and private sectors. The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) also participates in joint supervision in the form of surveillance.

Data Protection Officers are information intermediaries within data protection authorities, between individuals and business units. They have a significant role ensuring that companies and authorities meet their data protection requirements and effectively protect the rights of individuals.

“The aim of such joint initiative is to understand how effectively Data Protection Officers can do their work and how their role in institutions and companies is perceived,” explained Geili Keppi, lawyer of the Data Protection Inspectorate. “Based on the results, we will be able to map bottlenecks and plan our activities so that we can provide more support to data protection officers in their work. In practice, it is often seen that organisations do not understand the need for data protection officers  and therefore it is more difficult for data protection officers to stand up for their views.”

The obligation to appoint a Data Protection Officer, their role and responsibilities are outlined in Section 4 of Chapter 4 of the GDPR. In order to gauge whether data protection officers have a position in organisations that meet the conditions of Articles 37-39 GDPR and have the necessary resources to carry out their tasks, the supervisory authorities participating in the joint initiative will implement a number of measures:

• questionnaires will be sent out and, if necessary, formal investigations are initiated;
• formal investigations are initiated immediately;
• joint supervision is aligned with the ongoing formal investigations.

The data controllers in the selected sectors are targeted. The results of the joint initiative will be analysed in a coordinated manner and the supervisory authorities will decide on possible further national supervisory measures. In addition, results will be aggregated which will provide a more comprehensive overview of the subject and allow for targeted follow-up at European Union level. The European Data Protection Board will publish a report on the outcome of this analysis once the actions are concluded.

The Data Protection Inspectorate shall participate in joint supervision in the form of surveillance. We have selected 19 organisations from both the public and private sectors. For example, we plan to gauge the work of data protection officers in rural municipality and city governments, ministries, banks, hospitals and other institutions," explain Keppi. "Certainly, such a diverse sample gives us a good overview and also raises the value of the results. These are, among other things, organisations that must be especially diligent in ensuring the protection of personal data,” she added.

This is already the second initiative under Coordinated Enforcement Framework (CEF). Such coordinated initiatives aim to strengthen data protection oversight and enhance international cooperation between data protection authorities. In 2022, the subject of a similar joint initiative was the use of cloud services in the public sector. The report on the results of the first Joint European Initiative was published on 18 January 2023.

For further information:

• Estonian SA: Eesti osaleb üleeuroopalises avaliku ja erasektori andmekaitsespetsialistide rolli ühisjärelevalves (ET)
• Press releases by the EDPB and other national data protection authorities on joint supervision.