On 15th March 2023 the European Data Protection Board (EDPB) announced that 26 data protection authorities will take part in the coordinated action for 2023 to analyse the designation and position of data protection officers (DPO) of public and private sector entities. In this initiative Data Protection Authorities (DPAs) across the European Economic Area (EEA) will be assessing whether DPOs have the organisational position required by Articles 37-39 of the GDPR and the resources needed to conduct their work in a number of ways.
According to the EDPB, the participating DPAs might send DPOs the questionnaires for a fact-finding exercise or questionnaires to identify if a formal investigation is warranted. It can result in a commencement of a formal investigation or a follow-up of ongoing formal investigations. The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement action.
One of participating DPAs – the AEPD (Spanish Data Protection Authority) reported that regarding the private sector entities, the questionnaire will consider different sectors of activity: education, banking and financial entities, health, the energy sector, security, telecommunications services, financial solvency and credit, and activities related to gambling and bettings. The questionnaires will include questions related, among others, to the designation, knowledge and experience of the DPOs, their tasks and resources or their role and position in their respective organisations.
Therefore, we advise our clients to get ready to such “questioning” by fulfilling self-assessment and properly documenting the status of their DPO.