The European Data Protection Board (EDPB) has begun the 2023 iteration of its annual coordinated enforcement action under the General Data Protection Regulation (GDPR). In coordination with twenty-six EDPB Supervisory Authorities (SAs), the EDPB will analyze the roles, tasks, resources, and positions of Data Protection Officers (DPOs) in public and private sector organizations. DPOs should expect to receive requests soon from Supervisory Authorities to respond to questionnaires intended to aid that analysis, describing how the DPO role is implemented and managed within organizations.
Each year, the EDPB selects one GDPR-related topic for which the EDPB and its SAs will engage in a coordinated enforcement action during the year, with activities “ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations.”1 The actions are aimed at promoting consistent application of GDPR requirements, and to “promote compliance, to empower data subjects to exercise their rights, to raise awareness, and/or to increase the knowledge of SAs.”2 Following completion of the coordinate enforcement action, the EDPB will publish a report analyzing data collected and best practices identified from national implementation of the coordinated enforcement action, and the EDPB and SAs will identify and implement follow-up actions.3
On March 15, 2023, the EDPB announced the commencement of its 2023 coordinated enforcement action. This year’s iteration aims “[t]o gauge whether DPOs have the position in their organisations required by Art. 37-39 GDPR and the resources needed to carry out their tasks.”4 Twenty-six SAs from across the European Economic Area will participate in this initiative.5
Possible activities for the 2023 coordinated enforcement action include using questionnaires to gather facts or identify investigation needs, continuing ongoing formal investigations, and commencing new formal investigations.6 Some SAs have provided additional detail about their planned implementations, which appear more focused on information-gathering than enforcement at this stage:
- the Bavarian State Office for Data Protection Supervision (BayLDA) plans to evaluate DPO qualifications and resources, and obstacles that prevent DPOs from operating independently within their organization, including related to conflicts of interest and lack of direct access to organization management;7
- the Spanish Agency for Data Protection (AEPD) intends to survey DPOs for more than 30,000 public and private sector organizations, in a wide variety of industries, to obtain information about topics such as DPO knowledge, experience, tasks, resources, and organizational roles and positions;8 and
- the SAs for Hungary and Portugal expressly stated that they will focus on using questionnaires for response by DPOs (as opposed to formal investigations).9 The Portugal SA plans to contact DPOs directly and will even permit anonymous responses in an attempt to collect as many responses as possible.10
Ultimately, the EDPB and SAs will gather and analyze their research to identify next steps with respect to national supervision and enforcement actions.11 They plan to publish their analysis in a publicly available report.12
Based on what the EDPB and various SAs have shared about their plans for implementing the 2023 coordinated enforcement action, we anticipate that public and private sector organizations and their DPOs will soon receive requests from their respective SAs to complete questionnaires focused on DPOs. We will continue to stay abreast of further actions, including formal investigations that arise out of the EDPB’s and SAs’ review of the questionnaire responses, to keep our clients informed of the latest guidance and steps to take to minimize risk related to any investigations or other enforcement.
In short, the time is now upon us especially where a business appoints a DPO that is required to balance several positions and/or roles, to take a step back and examine the mechanism and governance that is in place to ensure the GDPR role requirements are met. And where that falls short, to address those gaps and conflicts and consider what fresh steps and processes are required to meet the requirements of the role.
1 EDPB Document on Coordinated Enforcement Framework under Regulation 2016/079, European Data Protection Board 2, 5 (adopted Oct. 2020, updated Oct. 4, 2021), https://edpb.europa.eu/sites/default/files/files/file1/edpb_documents_20201020_coordinatedenforcementframework_en.pdf.
2 Id. at 2, 5, 7.
3 See id. at 2, 6; Launch of coordinated enforcement on role of data protection officers, European Data Protection Board (Mar. 15, 2023), https://edpb.europa.eu/news/news/2023/launch-coordinated-enforcement-role-data-protection-officers_en.
4 Launch of coordinated enforcement, supra note 3.
7 Koordinierte Prüfung zu Stellung und Aufgaben von Datenschutzbeauftragten, Bayerisches Landesamt für Datenschutzaufsicht (Mar. 15, 2023), https://www.lda.bayern.de/media/pm/pm2023_03.pdf.
8 See La AEPD participa en una acción europea coordinada para analizar la designación y situación de los delegados de protección de datos, La Agencia Española de Protección de Datos (Mar. 15, 2023), https://www.aepd.es/es/prensa-y-comunicacion/notas-de-prensa/aepd-participa-accion-europea-coordinada-para-analizar-designacion-y-situacion-de-dpds.
9 Közlemény az Európai Adatvédelmi Testület által a 2023. évre prioritásként meghatározott, az adatvédelmi tisztviselők szerepére fókuszáló összehangolt fellépés tényleges megkezdéséről, Nemzeti Adatvédelmi és Információszabadság Hatóság (Mar. 20, 2023), https://www.naih.hu/hirek/536-koezlemeny-az-europai-adatvedelmi-testuelet-altal-a-2023-evre-prioritaskent-meghatarozott-az-adatvedelmi-tisztviselok-szerepere-fokuszalo-oesszehangolt-fellepes-tenyleges-megkezdeserol; O Papel Dos EPD No Centro Da Ação Coordenada Ue Para 2023, Comissão Nacional de Proteção de Dados (Mar. 15, 2023), https://www.cnpd.pt/comunicacao-publica/noticias/o-papel-dos-epd-no-centro-da-acao-coordenada-ue-para-2023/.
10 O Papel, supra note 9.
11 Launch of coordinated enforcement, supra note 3.
12 See id.