EDPB’s coordinated enforcement on the role of data protection officers

EDPB’s coordinated enforcement on the role of data protection officers

  1. On 15 March 2023, the European Data Protection Board (“EDPB”) announced the launch of its second coordinated enforcement framework (the “CEF 2023”) with a focus on the role of data protection officers (“DPO”). This is only the second coordinated enforcement framework carried out by the EDPB, the first having taken place in 2022 with a focus on the use of cloud services in the public sector.[1] Coordinated enforcement actions have the goal of streamlining enforcement and cooperation among the supervisory authorities.

  2. In its announcement of the launch, the EDPB emphasises the essential role of DPOs in contributing to data protection compliance and the effective protection of data subject rights, describing the role of the DPO as an intermediary role between supervisory authorities, business units of an organisation and individuals.

  3. The CEF 2023 is envisaged to measure and analyse the role of DPOs within their organisations from the perspective of the requirements set out in Articles 37 – 39 of the General Data Protection Regulation (EU) 2016/679 (the “GDPR”). The matter of whether DPOs have access to the resources needed to carry out their tasks will also be within scope of the CEF 2023.

  4. The EDPB plans to carry out the CEF 2023 through the following:
    • Fact-finding missions to identify whether a formal investigation is necessary, primarily carried out through sending questionnaires to DPOs;
    • commencement of a formal investigation; and
    • follow-up of ongoing investigations.
  5. Alike with the coordinated enforcement action carried out in 2022, the EDPB plans to analyse the results of CEF 2023 in a coordinated manner and plans to aggregate and publish results in a report.

  6. The Swedish Authority for Privacy Protection (Sw. Integritetsskydds­myndigheten, the “SAPP”) has announced that it intends to participate in CEF 2023 and that it plans to initiate investigations of several entities.[2] The SAPP stated that its work with the matter is still in the planning phase for the time being.[3]

    The SAPP’s study of data protection in practice

  7. Ahead of the CEF 2023, in January 2023, the SAPP published a report of a study of data protection in organisations required to have a DPO.[4] In this report, the SAPP found that a quarter of all DPOs lack specific time allocated for data protection, half of all DPOs feel that the allocated time for data protection is sufficient and seven in ten DPOs feel they receive sufficient training and skills development in their role.

  8. The SAPP’s study was carried out by sending ca. 4,600 surveys to organisations that had registered a DPO. In what was a relatively low survey participation, DPOs in nearly 800 organisations responded to the survey resulting in a number of observations:
    • the continuous and dynamic nature of data protection work requires persistence in terms of maintaining and improving data protection work, emphasising the importance of involving DPOs in matters of privacy and data protection;
    • data protection can advance with active management. DPOs should work closely with other relevant areas (g., information security, information management etc.) as well as with organisational development matters.
    • organisational security measures (g., routines and training) are necessary in continuation, in order to, inter alia, diminish the occurrence of personal data breaches caused by human error.
    • the role of a DPO must be clarified, as this may be experienced as an unclear role/assignment, particularly in part-time set-ups.
  9. X-FAB Dresden GmbH & Co. v. FC

    The CEF 2023 launch and the SAPP study report come shortly after the Court of Justice of the European Union (“CJEU”) issued a ruling in Case C‑453/21 (X-FAB Dresden GmbH & Co. KG v. FC, hereinafter “X-FAB v. FC”). The CJEU’s ruling in X-FAB v. FC focused on Article 38 of the GDPR and the question of conflicts of interests.

  10. The German Federal Labour Court (De. Bundesarbeitsgericht) sent a request for a preliminary ruling regarding the proceedings of X-FAB Dresden GmbH & Co. KG and its former DPO dismissed from its role as a DPO in 2017. Once the GDPR became applicable in May 2018, X-FAB argued that the dismissal was due to a risk of a conflict of interest in performing the function of a DPO and a chair of the works council at the same time, stating that the two roles are incompatible.[5]

  11. In response to the questions posed by the German Federal Labour Court, the CJEU emphasised the importance of the independence of the DPO in ensuring a high level of protection to data subjects and ruled that Article 38(3) of the GDPR does not preclude national legislation from providing additional protections against dismissals of DPOs, provided that such legislation does not undermine the objectives pursued by the GDPR.[6] The CJEU clarifies that national legislation cannot afford DPOs protection where DPOs are, owing to a conflict of interests, unable or are no longer in a position to be able to carry out the tasks and duties of a DPO in a manner that is completely independent.[7]

  12. Moreover, the CJEU clarifies that, by virtue of Article 38(6) of the GDPR, there is no ‘fundamental incompatibility’ between the role of the DPO and other roles and, as such, a DPO may fulfil other tasks and duties, as long as the controller or processor ensures that any such tasks and duties do not result in a conflict of interests.[8] Upon reiterating the tasks and duties of a DPO pursuant to Article 38(6) of the GDPR, the CJEU clarifies that DPO cannot be entrusted with tasks or duties which would result in the DPO determining the objectives and methods (purposes and means) of processing personal data on the part of the controller or its processor.[9]

  13. Lastly, the CJEU notes that this is a matter for the national courts to determine, on an in casu basis taking into account all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.[10]

DPO at a glance

Who must appoint a DPO?

  • Where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • Where the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
  • Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences (Articles 9 and 10 of the GDPR respectively).

Article 37 of the GDPR

 

The position of a DPO

  • A DPO is not personally responsible in case of non-compliance with the GDPR;
  • A DPO shall be properly involved in all issues relating to personal data protection and such involvement shall be timely;
  • The controller or processor must ensure to provide enough resources to the DPO, as necessary for the DPO to carry out his or her tasks and maintain expert knowledge;
  • The controller or processor must ensure that a DPO does not receive any instructions regarding the exercise of his or her tasks.
  • A DPO should be in a position to perform his or her duties and tasks in an independent manner;
  • A DPO shall not be dismissed or penalised by the controller or the processor for performing their tasks;
  • A DPO acts as a contact point for data subjects;
  • A DPO is bound by secrecy or confidentiality regarding the exercise of his or her tasks; and
  • A DPO may have other tasks and duties as long as such tasks and duties do not result in a conflict of interests.

Article 38 of the GDPR

 

What are the tasks and duties of a DPO?

In the performance of tasks prescribed by the GDPR, a DPO shall have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

A DPO has at least the following tasks:

  • To inform and advise the controller or the processor and relevant employees of their obligations pursuant to the GDPR and applicable data protection provisions;
  • To monitor compliance with the GDPR and applicable data protection provisions and with the policies of the controller or the processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • To provide advice where requested as regards a data protection impact assessment (DPIA) and monitor its performance pursuant to Article 35 of the GDPR;
  • To cooperate with the supervisory authority; and
  • To act as the point of contact for the supervisory authority on issues relating to processing and to consult, where appropriate, with regard to any other matter.

Article 39 of the GDPR

 

 

[1] https://edpb.europa.eu/system/files/2023-01/edpb_20230118_cef_cloud-basedservices_publicsector_en.pdf.

[2] https://www.imy.se/nyheter/samordnad-undersokning-av-dataskyddsombudens-roll/ (in Swedish).

[3] Ibid.

[4] The SAPP, Data protection in practice, IMY report 2023:1 https://www.imy.se/en/news/data-protection-officers-point-to-problems-applying-gdpr/.

[5] Case C‑453/21 (X-FAB Dresden GmbH & Co. KG v. FC) paras. 10 – 17.

[6] Ibid, paras. 29 – 36.

[7] Ibid, para. 34.

[8] Ibid, paras. 39 – 41.

[9] Ibid, para. 46.

[10] Ibid.