Sep 22
Danish DPA Data Protection Digital Markets Act EU-US cooperation EDPB hits Meta, the EU General Court explains the nature

European focus on DPO

European focus on DPO

Konstantin Tiazhelnikov Konstantin Tiazhelnikov
  • September 22, 2022 -

DP News – Week 38. European focus on DPO

As follows from the UK’s Data Protection and Digital Information Bill (that has been temporarily put on hold, though), the local lawmakers are striving towards the optimisation of their currently existing approaches to the position of Data Protection Officer (DPO). In particular, the figure of DPO is planned to be completely removed and replaced by Senior Responsible Individual (SRI). Under the proposed bill, SRI sould be appointed if the controller or processor is a public body or if it carries out processing that is likely to result in a high risk to the rights and freedoms of individuals.

At the same time, within the EEA, the EDPB has decided the designation and position of the DPO to be the next field of enforcement actions. Those are expected to be performed in coordination with the European Data Protection Supervisor (EDPS) and 22 data protection authorities across the EEA. All the details are yet to be specified in the months to come. As the EDPB explains, “the results of these national actions are then bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level”.

It is not the first time the EDPB arranges coordinated enforcement actions: last year those were performed in respect of cloud-based services used by the public sector.

It would be fair to say that the position of DPO has lately been an attention point of some supervisory authorities. E.g., in a recent landmark case involving IAB Europe and the Belgian DPA, one of the violations that led to a total fine of 250,000 EUR was that IAB Europe should have appointed a DPO but failed to do so. In another case dating back to March 2022, the same Belgian DPA fined an unnamed bank 75,000 EUR due to the DPO being involved in the conflict of interests as he was also the head of three departments with decision-making powers, while in 2021, Italy’s supervisory authority ​​fined 75,000 EUR the Ministry of Economic Development for failure to appoint DPO.

Given the above, we should potentially expect more investigations and enforcement cases touching on the DPO aspect across the EEA very soon.

See more related posts »

Related blog posts

DP News – Week 16. EDPB opinion: Pay-or-Consent models clash with GDPR consent requirements, EU Commission requested a risk assessment from TikTok, ICO launched a privacy notice generator, Catalan Data Protection Authority fines occupational health center for email confidentiality breach, Dutch chipmaker investigates data breach amidst security concerns.
  • April 18, 2024 -

DP News – Week 15. Norwegian DPA imposed a 20 million NOK fine, Denmark’s DPA updated data transfer guidance for third countries, France’s DPA fined retail chain for unsolicited marketing.
  • April 11, 2024 -

DP News – Week 14. Subway operator was fined for covert employee monitoring in Iceland, Finnish DPA imposed fine for data retention violations and published its 2024 inspection plan, France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches.
  • April 4, 2024 -