The European Data Protection Board has initiated a coordinated action on Data Protection Officers on 15 March. Data protection authorities will find out how the designation and position of Data Protection Officers have been realised in different EEA countries. Data Protection Officers are the internal data protection experts of organisations that offer advice on compliance with data protection regulations and act as the contact persons of data subjects in matters related to the processing of personal data.
The action by the European Data Protection Board (EDPB) will be implemented during 2023 by 26 data protection supervision authorities. The data protection authorities will find out whether Data Protection Officers have the position in their organisations required by the General Data Protection Regulation (GDPR) and the resources needed to carry out their tasks. The situation is studied through a survey addressed at a group of controllers in all of the participating countries. In addition, national supervisory authorities can implement other studies to investigate the position of Data Protection Officers.
The data protection authorities will analyse the results of the action in a coordinated manner and decide on possible further measures on the national level. Further measures can also be taken on the EU level based on the results. After the conclusion of the joint action, the European Data Protection Board will publish a report on the results.
The Data Protection Officer reports directly to the management of the organisation
Data Protection Officers play an important role in promoting compliance with the data protection legislation and the rights of the data subject. Data Protection Officers bring up any deficiencies they discover and offer advice to the management of the organisation as well as the employees who process personal data.
“Organisations are obliged to ensure that the statutory position of a Data Protection Officer is realised,” Data Protection Ombudsman Anu Talus emphasises. “Among other things, the Data Protection Officer must have the opportunity to report to the highest management level.”
A Data Protection Officer must be appointed if, for example, the organisation processes sensitive information extensively, carries out regular and extensive monitoring or when the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
Last year, the target of the coordinated enforcement action by data protection authorities was the use of cloud-based services by the public sector. The report of the European Data Protection Board on the results of the enforcement action was published on 18 January. The objective of coordinated actions is to make the cooperation between supervisory authorities and the enforcement of data protection legislation more effective.