Remember this post? October last year, we posted that the data protection authorities of Europe would be focussing on the position and designation of data protection officers (DPO) in 2023. Today, the European Data Protection Board published a news post stating that its coordinated enforcement action concerning DPO’s has officially commenced.
In brief, national data protection authorities will (among other things) send questionaires to DPO’s to “aid fact-finding exercises or questionnaires to identify if a formal investigation is warranted.”
A formal investigation could lead to enforcement actions by the investigating supervisory authority and an investigation that initially focusses on the DPO may turn into more in-depth investigations into the company’s processing activities. Any company confronted with a questionnaire from a supervisory authority should consider it carefully and, where possible, seek legal advise due to the legal consequences the answers may have.
For now, we feel that companies that have appointed a DPO would do well to review whether the position of the DPO and its embeddedness within the company meet the requirements set in article 37-39 GDPR and the underlying guidance as endorsed by the European Data Protection Board. Time spent on this review upfront may aid your company in the long run, as we currently have no way of predicting which companies and/or institutions will be targeted by this coordinated enforcement action.
Update: To give you a clear view of the scale of this enforcement action, the Spanish data protection authority states that it will review the activities of more than 30.000 private and public entities. Although the news post by the European Data Protection Board only lists a couple of national supervisory authorities, there is no guarantee that the coordinated enforcement action will be limited to these countries, meaning that there is an enforcement risk for any company in the European Economic Area that either has designated or should have designated a data protection officer.
About. This blog is written by Cécile van der Heijden, an attorney-at-law specialized in EU data protection law in the life sciences sector and healthcare law and Floris van der Laan, a paralegal with an interest in technology and its connection to EU privacy and data protection law. Both are Amsterdam-based.
This blog is written with the intent to provide interesting updates about legal developments in the life sciences sector and to share thoughts about legal aspects of data protection law and life sciences specific legislation.
DISCLAIMER. This blog is written strictly on a personal title and does not reflect the opinion of our employer. Posts on this blog, including reactions and comments from authors, cannot replace legal advice and do not lead in any manner to an attorney/client relationship. If you would like to seek legal advice from us, please reach out to us via email@example.com
Follow us on: https://www.lifesciencesprivacyblog.com/feed