As we learned a couple of weeks ago, the European Data Protection Board launched its coordinated enforcement action for 2023. This year, 26 Data Protection Authorities are focusing on the designation, position, and tasks of data protection officers (DPOs). This joint initiative also aims to assess whether DPOs have the necessary resources to fulfil their roles in compliance with the GDPR. I will therefore delve a bit deeper into the role of the DPO according to section 4 of the GDPR.

First, we should mention that there are two routes that you can take to designate a DPO, voluntary or mandatory. And if you take the voluntary route, since you don’t need one because of the requirements in Article 37 of the GDPR, that means that you can’t cherry-pick which of the remaining data protection officer rules you will follow. In other words, a designation always results in an obligation to follow articles 37 to 39.

So, if you designate a DPO, what’s next? Before anything else, before it falls through the cracks, you should publish the DPO’s contact details and send a message to your supervisory authority with the details, as Article 37(7) requires. The aim is that the data subjects and authority can effortlessly find and reach out to the DPO without any intermediaries as the main contact point for data protection questions, issues, and requests. Remember that contact details are not the same as other kinds of identity data and that it isn’t necessary or required to publish the name, location, et cetera of the DPO to enable communications with them. However, though a published name isn’t a requirement, the EDPB thinks that it’s good practice to do so. I would say, however, that it’s the controller or processor that should figure out if it is compatible with the principle of purpose limitation and data minimisation.

Let’s move on to the position of the DPO. Primarily, the DPO must be involved in all issues relating to data protection. I.e., being informed and consulted by the data controller and being a discussion partner. According to the EDPB the DPO should be invited to senior and middle management meetings; be present when decisions with data protection implications are taken; have their opinions be given due weight; document the reasons for not following the DPO’s advice; and be promptly consulted once a data breach or another incident has occurred.

One of the things that the coordinated enforcement action is focusing on is whether DPOs have the resources necessary to carry out their tasks and maintain their expert knowledge. For example, according to the EDPB specific attention should be given to the following factors:

• Active support by senior management.
• Sufficient time to perform their duties.
• Financial resources, infrastructure, and staff where appropriate.
• Access to other departments (HR, IT, Legal, Security) to get support, input, and information from them.
• Continuous training so the DPO is staying on top of recent developments in data protection.

You can therefore take these things into account now before the coordinated enforcement action begins probing data controllers and processors around the EU.

Another key element in DPO’s roles is their independence. Or rather, DPOs cannot receive any instructions regarding the exercise of their tasks and they must be able to perform their duties and tasks independently according to Article 38(3) and recital 97 of the GDPR. Expanding on that, receiving any instructions usually means that the data controller or processor can’t steer the DPO to their desired outcome in the tasks mentioned in Article 39. Of course, that doesn’t mean that there can’t be disagreements. In fact, you can recall that the EDPB considers documenting the reasons for not following the DPO’s advice as best practice for the controller or processor, as following the GDPR’s requirements is their responsibility. When there is disagreement, the DPO should use their legal authority to directly report its advice and recommendations to the highest management level.

Another aspect of independence is the rule against conflict of interests. The DPO may perform other tasks and duties than specified under Article 39, so long as it doesn’t result in a conflict of interest. There are a lot of cases from supervisory authorities on this matter, and I will present some case law deriving from the rule. For example, various supervisory authorities found that a DPO can’t be the head of another department, a senior lawyer, a deputy CEO, or a board member. However, in one instance a DPO has been able to be a chief compliance officer concurrently, in another case not so (see Persónuvernd – 2020061979 and CNPD – 37FR/2021). In an Italian case, the supervisory authority held that the DPO can’t be the person that provides the legal entity with legal representation in court (see Garante per la protezione dei dati personali – 9794895). The reasoning behind whether a DPO can be tasked with other duties is not simply the title, it’s dependent on the circumstance regarding the tasks. Can the tasks or duties lead to the DPO determining the objectives and methods of processing for the controller or its processor? According to the Court of Justice (see C-453/21 X-Fab Dresden GmbH & Co. KG) the national courts in the EU must determine this by assessing all the relevant circumstances. In particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.

My two cents are that it isn’t impossible to have a DPO that does other things as well as their legal tasks, but you would need to do this assessment above for your circumstances. That is, look at the relevant factors and see the weak points, adjust the organisational structure and internal rules accordingly, and adopt limitations on the DPO’s other tasks and duties. This way you should ensure the compartmentalisation between on the one hand the tasks of informing, giving advice and monitoring compliance, and on the other, determining the objectives and methods of processing.

Lastly, for this blog post, what are the tasks of the DPO? The GDPR requires the DPO to monitor compliance and especially internal compliance with the regulation. EDPB have elaborated on this by stating that the DPO can identify processing activities, analyse and check compliance of the processing activities, and inform, advise and issue recommendations to the controller or processor. The DPO’s role is also to give advice to the controller regarding data protection impact assessments and monitor its performance. For example: whether to carry out a DPIA; the DPIA’s methodology; the technical and organisational measures; and the result of the DPIA. The EDPB also refers to the DPO’s role as a facilitator. By which they mean their tasks of cooperating with supervisory authorities and being a contact point for prior consultations and any other matter.

And remember, if you are a DPO, hush-hush, you are bound by secrecy or confidentiality concerning the performance of your tasks according to article 38(5). However, not with the supervisory authorities.

So if you have the need, please use this blog post or the other resources mentioned here to look over your own organization before the supervisory authorities begin with their coordinated enforcement actions in the 26 participating member states. If you know which member state isn’t participating, you can let me know at albin.thelin@nulldporganizer.com.