In light of the European Data Protection Board (EDPB) announcement that was made on the 15th March 2023, it is to be noted that throughout the year 2023, 26 Data Protection Authorities (DPAs) across the EEA (including EDPS) will take part in the Coordinated Enforcement Framework (CEF) focused on the designation and position of the Data Protection Officers (DPOs).

Under the CEF, DPAs will investigate and gauge whether DPOs have the organisational position required under the Articles 37 – 39 of the EU Data Protection Regulation, with potential areas of focus including but not limited to: 

  • Potential areas of focus that are not limited to:
  • DPOs qualifications and necessary resources
  • DPOs independence
  • Existence of conflict of interests
  • Direct reporting to the highest level of the organisation

The DPAs will ask DPOs a series of questions to inquire about their designation and position in their respective organisations. The DPAs will also investigate compliance with the DPO related requirements and follow-up on ongoing formal investigations. Organisations are advised to review their compliance with the General Data Protection Regulation (GDPR) requirements on taking into consideration the upcoming DPA wave of enforcement.

The outcome of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions. Furthermore, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level.

Recommended steps:

Taking into consideration the anticipated enforcement action, organisations must consider reviewing their compliance in-line with the GDPR requirements related to DPOs. Specifically, organisations must assess whether their DPO can operate independently and has the required resources available to perform their tasks without Conflict of Interest, and ensure they have the correct documentation to demonstrate that the DPO reports directly to the highest management level of the organisation.

As an independent Data Protection Office with a multi-jurisdictional approach, HewardMills plays an essential role in contributing to compliance with data protection laws globally and promotes effective protection of data subject rights.

HewardMills can also assist in responding to EDPB data protection audits requested by the regulators and can help you to prioritise Data and Privacy strategies in-line with local laws.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at