European Data Protection Regulatory Board Issues Investigative Report on the Role of Data Protection Officers
22 January 2024
The European Data Protection Board (EDPB) has issued a comprehensive report which focuses on the designation and position of Data Protection Officers (DPOs).
The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role, such as mandatory DPO designation, conflicts of interest and resource constraints.
The rationale to investigate the function of DPOs stems from the fact that DPOs generally play a crucial role in ensuring the lawful and righteous compliance and adherence of data protection rules within organizations, in particular the General Data Protection Regulation (“GDPR“).
Given these complexities, it results from the report that the need for expert legal guidance in addressing these specific pain points within the ambit of DPOs responsibilities becomes paramount.
In this regard, the EDPB provides key issues faced by organizations and their DPOs, as well as recommendations on areas for improvement, including the following:
- Absence of mandatory DPO designation – the report identifies a growing trend related to the absence of DPO designation in cases where it is mandatory. The EDPB recommends that data protection authorities further raise awareness and educate organizations by providing additional guidance on the requirements for appointing a DPO or consider implementing relevant enforcement actions.
- Conflicts of interest and lack of independence – the report pays specifically attention to the specific issue of conflicts of interest and lack of independence among DPOs. This is in line with the recent CJEU ruling (Case C-453/21 X-FAB Dresden GmbH & CO. KG v FC), and earlier guidance of the Article 29 Working Party Guidance in excluding DPOs from holding senior management positions, particularly where the DPO is involved in determining the purposes and means of data processing. The EDPB makes a number of recommendations, including documenting the DPO’s duties, responsibilities and conditions in an “engagement letter”, collecting evidence in cases of interference with the DPO’s independence, and encouraging DPAs to further raise awareness and educate organizations by providing additional guidance on how to avoid conflict of interest situations.
- Insufficient resources – the report identifies that DPOs face challenges due to inadequate resources, including a lack of human resources and materials preventing active compliance efforts. The EDPB recommends, inter alia, that controllers and processors document and perform a case-by-case analysis of the resources needed by the DPO and recommends that data protection authorities issue specific guidance and training to navigate complex issues.
- Lack of experience and sufficient knowledge – the report highlights a significant gap in the experience and knowledge of DPOs. While the majority have received basic training, the average time dedicated to training and learning about recent regulatory developments is insufficient (i.e., ranging between 25 and 30 hours). The EDPB recommends that regulators organize training sessions for DPOs and suggests that DPOs record their progress and knowledge and undergo certification mechanisms.
- Reporting challenges – the report highlights the lack of regular reporting within organizations and identifies inconsistencies in consultation and unimplemented recommendations, particularly between organization’s employees and DPOs or between DPOs and the highest level of management, which can potentially hinder the timely resolution of critical issues. The EDPB recommends the implementation of best practices by adopting policies and procedures to better defined the conditions, frequency, content and effectiveness of reporting data protection issues within an organization.
The aspects analyzed in the EDPB’s report are expected to be an enforcement priority for EU data protection authorities. Addressing the unavoidable issues inherent in the function of DPO is critical for any organization.
To prioritize improvement and enhance the efficacy of the DPO, organizations should proactively implement EDPB’s recommendations and seek legal support to strengthen their data protection practices.