European Data Protection Board Focuses Coordinated Enforcement on Data Protection Officers

Gail Crawford, Ben Leigh, Fiona Maclean, Amy Smyth
Latham & Watkins LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Latham & Watkins LLP

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

 

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

DPOs’ Role and Standards

The EDPB considers that DPOs are intermediaries between DPAs, individuals, and an organisation’s business units, and therefore play an essential role in contributing to data privacy compliance and protecting data subject rights. The GDPR provides for the mandatory designation of a DPO in certain circumstances, including if the core activities of an organisation consist of either the regular and systematic monitoring of EU residents on a large scale, or the large-scale processing of special category personal data, or personal data relating to criminal offences, of EU residents. The GDPR also prescribes various requirements and standards for DPOs, such as:

  • The DPO must be professionally qualified and have expert knowledge of data protection law and practices.
  • The DPO must not perform any other role or function which would create a conflict of interest with their role as DPO. European-level guidance, member state national courts and the Court of Justice of the European Union (CJEU) indicate that a conflict of interest may arise if a DPO performs an operational role in which the DPO determines the purposes and means of personal data processing. The CJEU has also confirmed that DPO conflicts of interest should be determined on a case-by-case basis.
  • The DPO must engage in a timely manner with all matters relating to data protection and must report to the highest management level.
  • The DPO should be available to all relevant data subjects and supervisory authorities.
  • The DPO must carry out at least the specific tasks stipulated in the GDPR, for example, monitoring compliance with applicable data protection laws and internal policies, and cooperating with DPAs.
  • Organisations must support the DPO in performing their function by providing adequate resources and sufficient access to personal data and processing operations.

The New CEF’s Purpose

The current CEF aims to assess compliance with these standards and requirements around the designation and position of DPOs. The EDPB states that participating DPAs will implement the CEF at a national level in several ways, including by sending questionnaires to DPOs to support fact-finding exercises and formal investigations.

The EDPB will analyse the CEF joint initiative’s results in a coordinated manner; DPAs will decide on possible further national supervision and enforcement actions. In addition, the aggregated results will generate a deeper insight into DPO compliance. The EDPB also considers that a targeted follow-up at the EU level could be necessary.

The 2022 Coordinated Enforcement Framework

The first CEF in 2022 concerned how the public sector uses cloud-based services. It commenced on 15 February 2022 and the EDPB adopted a final report on 17 January 2023. The final report provides a list of key points that stakeholders should consider when engaging cloud services, such as to carry out a Data Protection Impact Assessment (DPIA) to unequivocally determine the involved parties’ roles, and to examine and renegotiate the contract with the cloud service provider to establish a meaningful way to object to new sub-processors. Given this precedent, the 2023 DPO CEF might also result in harmonised guidance for organisations regarding their DPO governance activities, and practical steps DPOs should take.

Takeaways

Organisations should expect increased scrutiny, investigation, and enforcement activity around DPOs during the next year and should:

  • ensure their DPOs are appropriately positioned within the company, with clear reporting lines to senior management levels and sufficient access to data and processing operations;
  • ensure their DPOs are sufficiently resourced to carry out their tasks under the GDPR;
  • document their DPO and broader data protection governance structures and roles. For DPOs with combined roles, this documentation should set out why the DPOs roles do not give rise to any conflict of interest; and
  • keep such evidence readily accessible, in the event of questionnaires and other requests for information from DPAs.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Latham & Watkins LLP
Contact
more
less

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide