Following the European Data Protection Board (EDPB) announcement of its third Coordinated Enforcement Action (CEA) on ‘Subject Access’ in October (see our update here), as anticipated, the EDPB has now published its results (the Report) on its second CEA, ‘the role of Data Protection Officers’.

To briefly recap, the Coordinated Enforcement Framework (CEF) was set up by the EDPB in 2020, with a view to streamlining enforcement and cooperation amongst Supervisory Authorities (SAs). The aim of the CEF ultimately is to facilitate coordinated actions and investigations on a particular subject. To date, only one other CEA investigation has taken place, which related to the use of cloud services by public bodies.

The EDPB’s second CEA investigation – the role of Data Protection Officers

The second CEA was selected by the EDPB in September 2022, titled ‘the Designation and Position of Data Protection Officers’. Throughout 2023, across the EEA, SAs conducted an investigation into the role of Data Protection Officers (DPOs) (the Investigation). The Investigation began with the SAs drafting a bespoke questionnaire (Questionnaire) for processors, controllers and/or DPOs to complete. The Questionnaire was sent to 61,962 recipients of which 17,490 responses were received. The responses informed the recommendations (including key points for attention) for the Report.

The key challenges (and recommendations) recognised in the Report are as follows:

   Challenge  Recommendation 
1) Absence of the designation of a DPO, even when mandatory                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

Most respondents had appointed a DPO. However, the results show that some organisations had not appointed a DPO, even though they were required to do so under Article 37(1) GDPR (designation of data protection officer). Based on the results, it is likely that a common misconception amongst public sector organisations is that Article 37(1) GDPR does not apply to them.


Awareness amongst organisations of their DPO requirement (i.e., whether one is required, or not), needs to be improved.  The Report recommends that SAs promote existing and further guidance to raise awareness on the requirements.


2)  Insufficient resource allocation

Where organisations had successfully appointed a DPO, the Report highlighted concern surrounding the availability of resources to fulfil the DPO role, recognising the requirement under Article 38(2) GDPR that DPOs are provided with adequate resources.

The apparent lack of deputy DPO appointments cited in the Report raises concerns that (a) DPOs may be burdened with additional tasks over and above what is reasonable, and (b) the longevity of compliance is at risk, as there is no cover for annual or sick leave. This may ultimately lead to mandatory tasks specified under the GPDR being neglected.

The Report recommends that controllers and processors perform a documented evaluation of what resources the DPO requires, on a case-by-case basis. Following the evaluation, they should then verify that the DPO has the appropriate ‘resources to properly exercise their functions’.

SAs note that further guidance and training may be beneficial for DPOs facing complex issues. SAs could also incentivise organisations to dedicate the appropriate resources to DPOs, however there has been no recommendation as to what any incentive may look like.


3) Insufficient expert knowledge and training of DPOs

General concerns over the level of knowledge and training of DPOs (both on entering the role and in continuance) were shown in the report. Most respondents confirmed that the DPOs in their organisations received 24 hours or less of training each year. Article 37(5) GDPR sets out that expert knowledge is required; mere experience is not enough.

As most readers will be aware, there are various new data laws on the horizon (including the Digital Services Act, Digital Markets Act, Data Governance Act, Data Act and Artificial Intelligence Act). The consideration and understanding of these developments will likely take more than 24 hours per year and therefore in our view, the concern surrounding insufficient knowledge and training is not only important, but timely.


The Report recommends that controllers and processors document their organisation’s knowledge and training needs and ensure progression is achieved. DPOs should be given sufficient opportunities, time and resources to refresh their knowledge and learning on new developments.


4) DPOs not being given key roles


Article 39 GDPR sets out tasks that must be performed by DPOs. The results of the Questionnaire indicate that (a) there is a lack of understanding as to what DPOs should be doing within their organisations, and (b) some DPOs are being tasked with roles that sit outside their remit including carrying out the roles of controllers and/or processors (such as completing Data Protection Impact Assessments (DPIAs) rather than seeking the DPO’s advice on the DPIA, as set out in Article 35(2) GDPR).


The Report recognises that there could be more initiatives in place and enforcement actions by SAs to incentivise controllers and processors to maintain the separation of roles from the DPO and organisations should promote and educate on the DPO’s role internally.


5) Lack of systematic involvement of the DPO within the organisation


The Questionnaire identified that there is a lack of consistency in the role of DPOs, with instances arising where DPOs are not being consulted on personal data and its protection on a regular basis. Article 38(1) GDPR sets out that DPOs should be involved in matters properly and in a timely manner.


As with the previous point, the Report recommends that the role of DPOs should be promoted internally by all stakeholders. SAs should encourage initiatives that protect the independence of DPOs and support their functions so that DPOs can fulfil their roles.

6) Conflict of interests due to conflicting roles or tasks


Article 38(6) GDPR does allow DPOs to have other responsibilities outside of the DPO role, however these responsibilities must not cause a conflict of interest. In practice, however, this does not always appear to be the case as many DPOs also hold management responsibilities for the organisation -  i.e., C-suite roles or heads of department. This means that a conflict of interest may often arise as the role outside of DPO will be making data processing decisions, whilst also then needing to consult with the DPO.  To emphasise how wide this problem may be, only half of those that responded to the Questionnaire are full time DPOs.


Despite the Court of Justice clarifying the terminology ‘conflict of interest’ in X-Fab Dresden[1], it is apparent that the Article 29 Working Party Guidelines need to be further developed and reinforced by SAs, so that DPOs can provide adequate time to their roles.

[1] CJEU Judgment 9 February 2023, C-453/21, X-Fab Dresden GmbH & Co. KG, ECLI:EU:C:2023:79


7) Lack of independence due to instructions, contractual or budgetary setup


The responses to the Questionnaire indicate that a number of DPOs receive instructions on how to complete their DPO tasks, whilst other DPOs’ tasks (mostly those that are outsourced), will be influenced by contractual and budgetary restraints.


According to the Report, ‘more awareness-raising activities’ need to be implemented from both SAs and organisations, that make it clear that DPOs’ tasks are independent and that a DPO cannot be dismissed for performing their DPO tasks in conjunction with tasks from another role. This recommendation goes further to suggest that organisations could implement DPO engagement letters that set out the DPO’s duties and conditions.


8) Lack of reporting by DPOs to their organisation’s highest management


Under Article 38(3) GDPR, DPOs are required to report to the organisation’s highest level of management. The Report recognises that, if DPOs do not report to the highest level of the organisation, or fail to frequently, then management will not receive the necessary information on the DPO’s work which could affect the organisation’s overall data protection compliance.


The drafting of ‘industry standard’ internal data policies would be useful to clearly set out (a) who DPOs are required to report to, and (b) the frequency of such reports. This will avoid any confusion within organisations and facilitate compliance with the GDPR.  This recommendation also goes further to suggest that SAs could implement a template DPO document report, that organisations can use to evidence their reporting requirements.

Report Takeaways

The Report strongly demonstrates that DPOs, as well as their organisation, require further guidance on ‘the role of DPOs’. All of the recommendations, if implemented, would allow DPOs to be more efficient within their roles and subsequently ease the resourcing burden that is experienced in many organisations.

The Report goes on to set out the varied support available from SAs across the EEA, but consistently recognises that updated and extensive guidance is required for all DPOs, regardless of SA.

Continuing the theme of lack of resource, the Report notes that for the recommendations to be implemented, the SAs and EDPB also require targeted resource.

Despite UK organisations not being bound by EDPB, the Report may be insightful for UK DPOs and is particularly timely given the proposed changes to the role of the DPO in the UK’s Data Protection and Digital Information Bill, which is currently making its way through parliament.

Please do get in touch if you would like to further discuss the above, or other EDBP CEAs.

We will continue to monitor publications on the third CEA and provide updates in due course.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at February 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Date published

21 February 2024