On 15 March 2023, the European Data Protection Board (EDPS) launched the second coordinated action on the appointment and role of Data Protection Officers (DPOs). The purpose of this initiative was to collect information on the practices followed in the Member States and to assess compliance with the General Data Protection Regulation (EU) 2016/679, five (5) years after its implementation.
As part of this initiative, which was communicated to the general public in the Communication I issued on 15 March 2023,
my Office sent a relevant questionnaire prepared by the ESDP to the DPOs of public and private organisations. A total of 316 questionnaires were completed (43 from the public sector and 273 from the private sector). The answers given and the numerical results extracted from the questionnaires were evaluated by my Office and communicated to the ESRB.
Based on the responses provided, the following issues, among others, were identified at national level.
The position of the OHR in the organisation
It was observed that in some cases the HRO of the organisation holds a position in the Senior Management / Director General or an Administrative Director position.
Pursuant to Article 38(6) of the Regulation, the data protection officer may perform other tasks and duties, however, “the controller or processor shall ensure that such tasks and duties do not entail a conflict of interests”.
Therefore, the DPO cannot hold a position, within the organisation, from which he or she can determine the purposes and means of the processing of personal data, such as the positions of Senior Management, Director, Chief Executive Officer and Head of Department, because this would entail a conflict of interest.
Publication of the contact details of the DPO
It has been observed that not all the organisations have published the contact details of the DPO on their websites, nor have they communicated them to my Office, as required by Rule 37(7) of the Rules.
Organisations should have the contact details of the DPO publicly posted, in a prominent place, for example, on the part of the website dealing with the ways of contacting the organisation in general or in any other place where these details can be easily found. It is understood that it is necessary to include the contact details of the DPO in the organisation’s protection policy.
It should also be noted that, for queries, complaints or any other issues relating to data processing, data subjects should, in the first instance, contact the DPO of the relevant organisation and if and when they are not satisfied with the response received, they may contact my Office. The DPO is the person who, in the first instance, guides the data subjects on matters relating to the processing of personal data.
Deputy DPO
A large percentage of organisations have not appointed a Deputy DPO.
Although the appointment of a Deputy DPO is not required under the Regulation, however, in the absence of the DPO, organisations should ensure that both cooperation with my Office and communication with data subjects are not affected.
Based on the responses collected from the coordinated action, at European level, the EMCDDA has prepared a results report, which presents, inter alia, the results/statistics extracted from the questionnaires, of each country, the main issues identified and the future actions that certain Supervisory Authorities will take.
Considering the importance of the role of the DPO, my Office will continue to provide the necessary guidance to ensure that DPOs effectively fulfil their role and duties under the provisions of the Regulation.
Specifically, in the context of continued assistance and support to PSOs, my Office is planning a new cycle of training activities for PSOs in the public sector, initially, which will take place in February 2024. Trainings for Private Sector DPOs will follow.