On 15 March 2023, the European Data Protection Board (EDPB) published news about its 2023 coordinated enforcement action regarding the designation and position of data protection officer. This is the second such initiative under the Coordinated Enforcement Framework (CEF).
CEF 2023 will entail 26 Data Protection Authorities (DPA) across the EEA (including the European Data Protection Supervisor – EDPS). In the upcoming months, participating DPAs will scrutinize the designation and position of DPOs. For these purposes, DPOs could be asked to provide certain information either as part of a questionnaire or as a part of an investigation (i.e., new or ongoing national investigations). Each DPA will decide on possible further national actions.
The results of this joint enforcement action will be analyzed in a coordinated way and will be aggregated. The EDPB stated that a report on this analysis’s outcome is to be published once the actions are concluded.
Several DPAs have already publicly announced that they will analyze the practices of the public and private sector entities which have designated a DPO. In contrast, others made more consistent statements regarding the main information they focus on through these actions (e.g., the impairments to the independent and effective performance of duties or whether the DPOs report directly to the highest management level of the controller or processor).
So far, there has been no publicly available reaction from the Romanian DPA following the EDPB news on this topic. However, considering the national practice, an update is expected to be published in the upcoming days.
The EDBP press release is available here.