On March 15, 2023, the European Data Protection Board (EDPB) announced the launch of a coordinated enforcement action regarding the designation and position of DPO across the European Economic Area (EEA). In practice, EEA Data Protection Authorities will send questionnaires to organizations in order to assess their compliance with GDPR requirements, open formal investigations, and/or follow-up on ongoing formal investigations.

As a reminder, non-compliance with GDPR requirements for the designation and position of the DPO could be subject to a fine of up to EUR 10.000.000 or up to 2% of the total global annual turnover, whichever is higher.

It is thus of utmost importance for organizations to be prepared.

How to prepare your organization?

1. Check whether your organization is required to appoint a DPO under GDPR

Organizations are required to appoint a DPO if they fall within one of the below scenarios:

  • The organization is a public authority or body (except for courts acting in their judicial capacity);
  • The organization's core processing activities require monitoring (which, for instance, includes all forms of tracking on the internet and profiling; for purposes of behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; etc.) on a regular and systematic basis of data subjects on a large scale;
  • The organization's core processing activities consist of processing on a large scale of special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation) or personal data relating to criminal convictions and offences.

2. Check whether your appointed DPO has the professional qualities required under GDPR

The DPO must be designated on the basis of his/her professional qualities and, in particular, expert knowledge of data protection laws and practices and the ability to fulfil his/her tasks. More specifically, relevant professional qualities include:

  • Expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR;
  • Understanding of the processing operations carried out;
  • Understanding of information technologies and data security;
  • Knowledge of the business sector and the organization;
  • Ability to promote a data protection culture within the organization.

3. Check whether your appointed DPO has the position required by GDPR

Organizations must ensure that the DPO:

  • is involved properly and in a timely manner in all data protection-related issues and reports directly to the highest management level;
  • has the resources necessary to perform his/her tasks;
  • is independent and does not receive any instructions regarding the exercise of his/her tasks;
  • is not subject to a conflict of interests. In this respect, the Court of Justice of the European Union (CJEU) recently clarified that while the DPO can be entrusted with other tasks and duties in addition to his/her DPO's tasks and duties, there is however a conflict of interest if the DPO is involved in the determination of the objectives and methods of processing personal data, provided that it is part of its tasks to review these objectives and methods. Further, according to the CJEU, the assessment of the risk of conflict of interests should notably take into account the organizational structure of the organization in question and all applicable rules, including the organization's internal policies (Case C-453/21);
  • cannot be dismissed or penalized for the performance of his/her tasks. According to the CJEU, this doesn't mean that the DPO cannot be dismissed for a just cause (Case C-453/21).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.