DP News – Week 38. European focus on DPO.
As follows from the UK’s Data Protection and Digital Information Bill (that has been temporarily put on hold, though), the local lawmakers are striving towards the optimisation of their currently existing approaches to the position of Data Protection Officer (DPO). In particular, the figure of DPO is planned to be completely removed and replaced by Senior Responsible Individual (SRI). Under the proposed bill, SRI sould be appointed if the controller or processor is a public body or if it carries out processing that is likely to result in a high risk to the rights and freedoms of individuals.
At the same time, within the EEA, the EDPB has decided the designation and position of the DPO to be the next field of enforcement actions. Those are expected to be performed in coordination with the European Data Protection Supervisor (EDPS) and 22 data protection authorities across the EEA. All the details are yet to be specified in the months to come. As the EDPB explains, “the results of these national actions are then bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level”.
It is not the first time the EDPB arranges coordinated enforcement actions: last year those were performed in respect of cloud-based services used by the public sector.
It would be fair to say that the position of DPO has lately been an attention point of some supervisory authorities. E.g., in a recent landmark case involving IAB Europe and the Belgian DPA, one of the violations that led to a total fine of 250,000 EUR was that IAB Europe should have appointed a DPO but failed to do so. In another case dating back to March 2022, the same Belgian DPA fined an unnamed bank 75,000 EUR due to the DPO being involved in the conflict of interests as he was also the head of three departments with decision-making powers, while in 2021, Italy’s supervisory authority fined 75,000 EUR the Ministry of Economic Development for failure to appoint DPO.
Given the above, we should potentially expect more investigations and enforcement cases touching on the DPO aspect across the EEA very soon.