By Amanda Mackenzie & Jade Kowalski

|

Published 07 February 2024

Overview

On the 16th January 2024 the European Data Protection Board (EDPB) adopted its report on the designation and position of Data Protection Officers (DPOs) following a year of investigations by 25 supervisory authorities (SAs) (the Report).

 

The Coordinated Enforcement Framework

This initiative was set up under the EDPB's Coordination Enforcement Framework (CEF), created in 2020 with a view to streamlining enforcement and cooperation among supervisory authorities. The aim of the CEF is to facilitate yearlong coordinated actions and investigations on a pre-agreed subject. The only prior investigation related to the Use of Cloud Services by Public Bodies and was carried out in 2021.

 

The aims of the EDPB

With this second CEF action the EDPB wanted to:

  • obtain insights regarding the profile, position and work of DPOs in practice to guide enforcement actions of SAs;
  • raise awareness of the requirements applicable to DPOs within organisations (in particular within the highest management level of organisations);
  • ensure that DPOs fulfil the key role assigned to them by data protection law to facilitate compliance and promote the role of the DPO; and
  • evaluate DPOs’ and organisations’ needs for further guidance and other forms of support.

It is clear from the Report that the role of the DPO is considered a paramount element of the GDPR framework. It highlighted that, even prior to GDPR, the Article 29 Working Party (the EDPB's predecessor) hailed the role of the DPO as "the cornerstone of accountability" and the EDPB subsequently confirmed under the GDPR that the DPO is "the heart of this new legal framework for many organisation".

 

The recommendations

The Report noted disparities across the EEA both in the responses to the questionnaires and levels of compliance by organisations. It also recognised that best practices by some SAs could be promoted by others. The Report highlighted seven recommendations and points of attention which we summarise below:

1. Failure to designate a DPO in circumstances where such appointment is mandatory

Article 37(1) sets the circumstances in which a DPO appointment is mandatory. It was noted that some organisations had not appointed a DPO when required to. The Report recommended more initiatives by SAs to raise awareness of the mandatory requirements.

2. Insufficient resources allocated to the DPO

Insufficient resources (covering budget, time and staff) were identified. In particular, lack of support staff was cited as a problem for DPOs who were expected to perform more work than they could handle. It was recommended that organisations note the seriousness of this obligation and document the assessment carried out to confirm that the DPO has sufficient resources. It also was recognised that, whilst not a requirement of the GDPR, allowing the DPO to control their own budget would make it easier to manage resources effectively.

3. Insufficient expert knowledge and training of the DPO

Article 37(5) of GDPR requires DPOs to have "expert knowledge". Although the responses to the questionnaires showed that the majority of DPOs received 24 hours of training a year, SAs could offer more guidance and training sessions for DPOs and organisations should document their training needs and progress. This is particularly important due to the new developments relating to the European Data Strategy and the "Big Five Laws" (the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Data Act and the AI Act). An increased use of DPO certification mechanism (as in France) was suggested.

4. DPOs not being fully or explicitly entrusted with the tasks required under the EU GDPR

The issues identified here were twofold:

(i) DPOs not being given key roles as required under GDPR

Article 39 sets out a number of tasks which must be performed by a DPO, however the survey results showed that these task may not always be properly assigned. For example the role of the DPO in carrying out DPIA was flagged. Under Article 35(2) the controller should "seek advice" of the DPO and it is the task of controller (not the DPO) to carry out the DPIA. Whilst DPOs can be significantly involved in the drafting of a DPIA, they should have sufficient independence to evaluate the DPIA and its outcomes.

A clear separation between the controller/ processor obligations and the DPO's own obligations and duties was recommended, along with an instruction for all stakeholders to promote the role of the DPO internally.

(ii) Lack of systematic involvement of the DPO

Article 38(1) requires a DPO to be involved "properly and in a timely manner in all issues which relate to the protection of personal data". A DPO cannot do their job if they are not consulted. Stakeholders should promote and actively review the role of the DPO within the organisation. An annual report of DPO's activities was suggested.

5. Conflict of interest and the lack of independence of the DPO

The survey results revealed that some SAs considered that DPOs could be put in situations of conflicts of interest. These were identified in the following situations:

(i) Conflict of interest due to conflicting roles or tasks

Conflicts can arise if the DPO also holds a position in the highest level of management. In the recent case of X-Fab Dresden[1] the CJEU concluded that a conflict of interest may exist where a DPO is entrusted with other tasks or duties which would result in them making decisions on the purpose and means of data processing activities.

The risk of this conflict has increased due to DPOs taking on new roles under the "Big Five" pieces of legislation in the digital field. There should be more incentives and actions by SAs to enable organisations to verify that appropriate safeguards are in place to ensure DPOs are not responsible for carrying out tasks that lead to a conflict of interest.

(ii) Lack of independence due to instructions or contractual or budgetary set up

Again the ability for a DPO to manage their own budget was highlighted as key to maintaining independence as it allows the prioritisation of critical tasks. If the budget is managed by the organisation, it may make the DPO hesitant to criticise the organisation's data protection practices for fear of budget cuts. Although the surveys revealed that DPOs suffering negative consequences for carrying out their task was low, the EDPB still raised a concern that the independence of a DPO cannot be guaranteed if there is a risk of adverse outcomes for performing their tasks.

It was recommended that SAs carry out more awareness-raising activities on the required independence of the DPO and look to enforcement actions for non-compliance. Organisations could formalise the DPO's duties in an "engagement letter" which could reduce the risk of conflicts. This would also support the DPO in identifying and collecting evidence of interferences with their independence.

6. Lack of reporting by the DPO to the organisation's highest management level

Article 38(3) requires DPOs to report to the organisations highest management level. The questionnaire results revealed that DPOs are not regularly expected to submit reports and may not have direct access to the highest management level. Lack of direct access prevents the DPO having their voice heard, undermines the effectiveness of the role and potentially the organisation's overall compliance. This legal obligation could benefit from further guidance from SAs and the EDPB to help organisations implement it, including industry standards and best practice recommendations on the frequency and content of such reporting.

7. Further guidance from SAs could help and empower DPOs

Generally it was recognised that further guidance by SAs and the development of the current EDPB Guidelines on Data Protection Officers would be beneficial to DPOs and help them carry out tasks more efficiently. With the fast paced changes in the digital landscape, DPOs are increasingly expected to give guidance on complex issues, both legal and IT related.

Despite the challenges and concerns outlined above, the EDPB thought that there were positive conclusions to be drawn from the questionnaire results, including that the DPO function is becoming more professional, DPOs are having a real impact within their organisations as their advice is generally followed and they are available to be contacted by data subjects.

The CEF action also illustrated that that SAs are already, and as result of the CEF, taking action at national level to enforce the DPO's requirements under the GDPR, for example on DPO independence and conflicts of interest.

 

Ongoing work

It is clear that the publication of the Report is not the conclusion of this CEF action and it may need updating during the course of 2024. Work by the EDPB and SAs will be ongoing. We anticipate that SAs will be providing further guidance concerning DPOs and the EDPB may review and develop their existing Guidelines on Data Protection Officers.

 

Conclusions and key take aways for UK organisations

The publication of the Report is timely. Given the fast pace of developments in the EU digital legislative landscape, the role of the DPO is evolving. DPOs in many organisations are being tasked with key roles under these new regimes, including the AI Act, the Digital Services Act, the Digital Market Act and the Data Act. In particular, they are taking on new roles that are related to AI, ethics and data governance. These new roles may result in some of the concerns identified above, such as the risk of conflicts of interests or the insufficient resources for DPOs.

So what for the role of the UK DPO? This Report remains of great interest as the commentary provides useful narratives regarding the importance of the role of the DPO and the issues they face in the changing digital landscape. Many UK DPOs will find it helpful, particularly when highlighting any concerns regarding DPO budgets, support, remit and reporting structures.


[1] CJEU Judgement of 9 February 2023 C-453/21, X-Fab Dresden GmbH & Co KG

Authors