The European Data Protection Board, the EDPB, has now launched a coordinated action to examine the role and position of data protection officers. 26 data protection authorities in Europe will be involved in the action.

According to the General Data Protection Regulation (GDPR), public authorities and certain businesses are obliged to appoint a data protection officer (DPO). The role of the DPO is to contribute within the organisation to the compliance with data protection legislation and to promote effective protection of individuals’ rights.

The EDBP has now launched a coordinated action to assess whether the DPOs have the role and position required by Articles 37-39 GDPR and the resources needed to carry out their tasks. The coordinated action involves 26 European data protection authorities, including the Swedish Data Protection Authority (IMY).

Each national data protection authority chooses whether the coordinated action should be carried out, for example, in the form of a survey or a supervision.

IMY plans to perform supervision against a number of organisations as its part of the coordinated action. This work is currently in the planning stage and IMY will provide more information once this initial work is done.

The results of the national measures will be aggregated and analysed to provide deeper insights into the topic and allow targeted follow-up at EU level. The EDPB will publish a report of this analysis.

This is the second coordinated action implemented by the EDPB. The first measure concerned a joint inquiry into the use of cloud services by public authorities.

For further information:

• Swedish SA: Samordnad undersökning av dataskyddsombudens roll (SV)
• Press releases by the EDPB and other national data protection authorities on joint supervision

Last week, the European Data Protection Board launched its 2023 coordinated enforcement action. 26 data protection authorities across Europe are jointly investigating the role of Data Protection Officers in both the public and private sectors. The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) also participates in joint supervision in the form of surveillance.

Data Protection Officers are information intermediaries within data protection authorities, between individuals and business units. They have a significant role ensuring that companies and authorities meet their data protection requirements and effectively protect the rights of individuals.

“The aim of such joint initiative is to understand how effectively Data Protection Officers can do their work and how their role in institutions and companies is perceived,” explained Geili Keppi, lawyer of the Data Protection Inspectorate. “Based on the results, we will be able to map bottlenecks and plan our activities so that we can provide more support to data protection officers in their work. In practice, it is often seen that organisations do not understand the need for data protection officers  and therefore it is more difficult for data protection officers to stand up for their views.”

The obligation to appoint a Data Protection Officer, their role and responsibilities are outlined in Section 4 of Chapter 4 of the GDPR. In order to gauge whether data protection officers have a position in organisations that meet the conditions of Articles 37-39 GDPR and have the necessary resources to carry out their tasks, the supervisory authorities participating in the joint initiative will implement a number of measures:

• questionnaires will be sent out and, if necessary, formal investigations are initiated;
• formal investigations are initiated immediately;
• joint supervision is aligned with the ongoing formal investigations.

The data controllers in the selected sectors are targeted. The results of the joint initiative will be analysed in a coordinated manner and the supervisory authorities will decide on possible further national supervisory measures. In addition, results will be aggregated which will provide a more comprehensive overview of the subject and allow for targeted follow-up at European Union level. The European Data Protection Board will publish a report on the outcome of this analysis once the actions are concluded.

The Data Protection Inspectorate shall participate in joint supervision in the form of surveillance. We have selected 19 organisations from both the public and private sectors. For example, we plan to gauge the work of data protection officers in rural municipality and city governments, ministries, banks, hospitals and other institutions," explain Keppi. "Certainly, such a diverse sample gives us a good overview and also raises the value of the results. These are, among other things, organisations that must be especially diligent in ensuring the protection of personal data,” she added.

This is already the second initiative under Coordinated Enforcement Framework (CEF). Such coordinated initiatives aim to strengthen data protection oversight and enhance international cooperation between data protection authorities. In 2022, the subject of a similar joint initiative was the use of cloud services in the public sector. The report on the results of the first Joint European Initiative was published on 18 January 2023.

For further information:

• Estonian SA: Eesti osaleb üleeuroopalises avaliku ja erasektori andmekaitsespetsialistide rolli ühisjärelevalves (ET)
• Press releases by the EDPB and other national data protection authorities on joint supervision.