Long story short: DPO’s in supervision spotlight

Controllers and processors that are required by law to appoint a data protection officer, but who have failed to do so, as well as all companies that have either voluntarily or unvoluntarily appointed a data protection officer should take notice. The European Data Protection Board (EDPB) has announced the focus of its second coordinated enforcement action: the designation and position of the data protection officer across the European Economic Area.

This newly mentioned coordinated enforcement action follows from an EDPB update about the European Commission’s proposal for an EU Police Cooperation Code. Although the EDBP did not provide more information about the precise focus in relation to data protection officers, the message provides a clear signal and a warning.

Appointing a data protection officer is one thing, but embedding the role of data protection officer sufficiently in an organisation is quite another. The GDPR sets standards for the role and position of a data protection officer in an organisation (or a group of organisations), which is further detailed in the guidance from the Working Party 29 on the position of the data protection officer (endorsed by the EDPB). In addition thereto, the GDPR requires that the data protection officer be appointed on the basis of his or her ‘professional qualities’, in particular his or her expertise in both law and practice and his or her ability to fulfil the statutory duties of a DPO. The interpretation of the professional qualities depends on the nature and scope and the type of processing activities (e.g. processing of special personal data, systematic international transfers of personal data, etc.), although the data protection officer does not need to be a lawyer.

Companies that have appointed a data protection officer that does not meet these requirements may want to look into investing in upgrading the knowledge of the data protection officer. Notwithstanding, it is unclear what the exact target of the coordinated action will be. The main goal of a coordinated action as announced by the EDPB in relation to data protection officers is to lay priority to a certain subject on which the data protection authorities (DPAs) work at a national level. These national actions of the DPAs will then be bundled and analyzed in order to create a better understanding of the topic at hand. 

In 2020, the EDPB had decided to set up a Coordinated Enforcement Framework (CEF). The CEF is set up to structure the annual coordinated actions of the EPDB and its objective is to ‘facilitate joint actions in a flexible but coordinated manner, ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations’.[1] The CEF is meant to make enforcement and cooperation between the data protection authorities across various member states more efficient and is the basis for all coordinated actions.


[1] EDPB, Document on Coordinated Enforcement Framework under Regulation 2016/679, 20 October 2020.

By Floris van der Laan & Cécile van der Heijden

About. This blog is written by Cécile van der Heijden, an attorney-at-law specialized in EU data protection law and healthcare law in the life sciences sector and Floris van der Laan, a paralegal with interest in technology and its connection to EU privacy and data protection law. Both are based in Amsterdam, the Netherlands.

This blog is written with the intent to provide interesting updates about legal developments in the life sciences sector and to share thoughts about legal aspects of data protection law and life sciences specific legislation.

DISCLAIMER. This blog is written strictly on a personal title and does not reflect the opinion of our employer. Posts on this blog, including reactions and comments from authors, cannot replace legal advice and do not lead in any manner to an attorney/client relationship. If you would like to seek legal advice from us, please reach out to us via: cecile.vanderheijden@axonlawyers.com

Subscribe to our RSS feed: https://www.lifesciencesprivacyblog.com/feed

%d bloggers liken dit: