On March 15, 2023, the European Data Protection Board (EDPB) announced a coordinated action on the role of the data protection officers (DPOs). The data protection authorities (DPAs) will ask DPOs a series of questions to inquire about their designation and position in their respective organizations. The DPAs will also investigate compliance with the DPO-related requirements and follow-up on ongoing formal investigations. Organizations should consider reviewing their compliance with the General Data Protection Regulation (GDPR) requirements on DPOs in light of the upcoming DPA wave of enforcement.
Coordinated Action
This initiative falls under the EDPB’s Coordinated Enforcement Framework (CEF), which aims to facilitate enforcement and cooperation among DPAs. The goal of the CEF is to assess whether organizations comply with GDPR requirements related to DPOs.
Potential areas of focus include: DPO’s qualifications and necessary resources; DPO’s independence; existence of conflicts of interests; and direct reporting to the highest management level of the organization.
According to the press release, DPAs will be:
- sending questionnaires to DPOs to gather information and to identify if a formal investigation is warranted;
- commencing formal investigations; and
- following up on ongoing formal investigations.
Some DPAs, such as the Bavarian DPA1, the Spanish DPA2, the Finnish DPA3, and the Portuguese DPA4, individually announced their participation in this action. We expect more to follow.
Recommended Steps
In light of the anticipated enforcement action, organizations should consider reviewing their compliance with the GDPR requirements related to DPOs. In particular, organizations should assess whether their DPO can operate independently, has the resources available to perform the tasks and that these tasks do not conflict with other assigned tasks, and that the DPO has the appropriate level of qualification and expert knowledge. Organizations should also consider verifying that they maintain appropriate documentation, such as organizational charts to demonstrate that DPOs report directly to the highest management level of the organization.
For more information, please contact Cédric Burton, Laura De Boel, Maneesha Mithal, Nikolaos Theodorakis, or another member of the firm’s privacy and cybersecurity practice.
Joanna Juzak, Michael Kern, and Matthew Nuding contributed to the preparation of this Wilson Sonsini Alert.
[1]See press release of the Bavarian DPA dated March 15, 2023 here.
[2]See press release of the Spanish DPA dated March 15, 2023 here.
[3]See press release of the Finnish DPA dated March 15, 2023 here.
[4]See press release of the Portuguese DPA dated March 15, 2023 here.