March 17, 2023

EU Privacy Regulators Coordinate to Assess Compliance with the GDPR Rules on Data Protection Officers

Cédric Burton, Joanna Juzak, Michael Kern, Maneesha Mithal, Matthew Nuding

+ Follow Contact

Send

Embed

Wilson Sonsini Goodrich & Rosati

On March 15, 2023, the European Data Protection Board (EDPB) announced a coordinated action on the role of the data protection officers (DPOs). The data protection authorities (DPAs) will ask DPOs a series of questions to inquire about their designation and position in their respective organizations. The DPAs will also investigate compliance with the DPO-related requirements and follow-up on ongoing formal investigations. Organizations should consider reviewing their compliance with the General Data Protection Regulation (GDPR) requirements on DPOs in light of the upcoming DPA wave of enforcement.

Coordinated Action

This initiative falls under the EDPB’s Coordinated Enforcement Framework (CEF), which aims to facilitate enforcement and cooperation among DPAs. The goal of the CEF is to assess whether organizations comply with GDPR requirements related to DPOs.

Potential areas of focus include: DPO’s qualifications and necessary resources; DPO’s independence; existence of conflicts of interests; and direct reporting to the highest management level of the organization.

According to the press release, DPAs will be:

sending questionnaires to DPOs to gather information and to identify if a formal investigation is warranted;
commencing formal investigations; and
following up on ongoing formal investigations.

Some DPAs, such as the Bavarian DPA¹, the Spanish DPA², the Finnish DPA³, and the Portuguese DPA⁴, individually announced their participation in this action. We expect more to follow.

Recommended Steps

In light of the anticipated enforcement action, organizations should consider reviewing their compliance with the GDPR requirements related to DPOs. In particular, organizations should assess whether their DPO can operate independently, has the resources available to perform the tasks and that these tasks do not conflict with other assigned tasks, and that the DPO has the appropriate level of qualification and expert knowledge. Organizations should also consider verifying that they maintain appropriate documentation, such as organizational charts to demonstrate that DPOs report directly to the highest management level of the organization.

^[1]See press release of the Bavarian DPA dated March 15, 2023 here.

^[2]See press release of the Spanish DPA dated March 15, 2023 here.

^[3]See press release of the Finnish DPA dated March 15, 2023 here.

^[4]See press release of the Portuguese DPA dated March 15, 2023 here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.