European data protection authorities launch coordinated review of the position and tasks of data protection officers
The European data protection authorities recently launched a coordinated review of the position and tasks of data protection officers, which is being coordinated by the European Data Protection Board (EDPB).The German data protection authorities are also taking part in the joint Europe-wide review.
The data protection authorities are particularly interested in using the review to gauge whether data protection officers have the position required by the General Data Protection Regulation (GDPR) and the resources needed to carry out their tasks.
Data protection officers will first be sent questionnaires for this purpose. The answers will be used to identify whether additional formal investigations by the authorities are warranted. The European data protection authorities intend to jointly decide on possible further national supervision and enforcement actions. Violations of the legal requirements set out in the GDPR may lead to significant regulatory fines.
We recommend that companies carefully review the position and tasks of their data protection officer, especially in light of the announced review by the authorities, and that any organisational improvements necessary be initiated quickly.
The role that the GDPR provides for data protection officers is one of the central pillars of robust data protection governance in a company. A data protection officer not only has the task of advising on data protection issues, but above all also has an independent control function. In practice, the challenge lies in designing structures and organisational processes for data protection in a company to, on the one hand, ensure that data protection officers are involved in an effective and at the same time efficient manner, but, on the other hand, to also avoiding potential conflicts of interest on the part of data protection officers. It is therefore obvious that, in their review, the supervisory authorities will also pay particular attention to any interference experienced by data protection officers in performing their tasks independently and effectively.