This report is published as a result of a year-long initiative from various supervisory authorities (SAs). SAs have been collecting information on the position of data protection officers (DPOs) across their jurisdictions through questionnaires, followed by an analysis of all the gathered findings by the European Data Protection Board (EDPB). This EDPB report is a combination of these coordinated actions across 25 jurisdictions and will affect companies that require the appointment of a DPO.

It provides a list of seven recommendations that companies and their DPOs can take into account to address issues identified during the coordinated investigation phase. These findings from national supervisory authorities again emphasize the need to further strengthen and promote the role and importance of DPOs.

What does the report recommend?

The executive summary of the report identifies seven areas of concern plus examples of recommendations for each problem area as set out below. Companies, DPOs and SAs should use such recommendations to address these challenges going forward, as they are now considered “best practise”.

Areas of concern	Recommendations
Absence of DPOs regardless of mandatory requirement.	Even if a DPO is mandatory, not every company has one. Companies argue that when DPOs left, there was no one to fill the gap. Appointment of a deputy DPO is strongly recommended as a solution.
Insufficient resources allocated to DPOs.	One of the main findings of insufficient resources proves to be a lack in human resources, which is problematic in terms of active and long-term compliance. Companies need to carefully assess what resources their DPO needs to properly exercise their functions. Ensuring compliance under GDPR will be significantly easier with a dedicated, full-time DPO, supported by a team and deputy DPO where appropriate.
Insufficient expert knowledge and training of DPOs.	GDPR requires expert levels of knowledge. DPOs who do not meet that level do not necessarily meet GDPR requirements of expert levels of knowledge. Make sure you have a team of DPOs and more capacity to develop expert knowledge.
DPOs not being fully or explicitly entrusted with the tasks required under GDPR.	DPOs are not always given the key role or tasks that are required under GDPR. It is recommended you have a clear defined list of tasks for the DPOs to easily determine the role of the DPO within organizations.
Conflict of interests and lack of independent role of DPOs.	Regardless of the Guidelines on DPOs and the X-Fab Dresden case stating conflict of interests occur when DPOs also determine means and purposes for processing, the results still show risks of possible conflict of interests and lack of independence. Amongst others, a recommendation is to further develop the Guidelines on DPOs and formalise duties and conditions for DPO duties in an “engagement letter”.
Lack of reporting by DPOs to the highest management level of the organization.	SAs should provide further guidance on the legal obligation to have the DPO report to the organization’s highest management level by way of adopting ‘best practise’ based recommendations or a template for DPO reporting to management.
Further guidance SAs.	Based on the survey results, further guidance by the SAs could help address above identified areas of concern, in particular amending the Guidelines on DPOs.

What else do I need to know?

Due to new EU legislation in the digital field, such as the AI Act and Digital Services Act, DPOs are being tasked with new roles related to, for example, AI, ethics and data governance. New roles may lead to challenges such as conflict of interests, insufficient available resources and inadequate expert knowledge and training of DPOs. It is vital for companies to consider the task and support of the DPO to ensure they can continue to provide the best added value.

An alternative could be to (partially) outsource your DPO needs. Such a model is able to provide your company with the expert level necessary to navigate this evermore complicating landscape of (personal) data governance.

On this report, it is also worth mentioning that there is no particular ranking in the focus areas and the report is lacking a comprehensive answer on how companies can measure/benchmark the role or position of the DPO within their organization. It will be interesting to see if such aspects will be addressed in the further development of the WP29 Guidelines on DPOs.

Disclaimer

Eversheds Sutherland takes all reasonable care to ensure that the materials, information and documents, including but not limited to articles, newsletters, reports and blogs (“Materials”) on the Eversheds Sutherland website are accurate and complete. However, the Materials are provided for general information purposes only, not for the purpose of providing legal advice, and do not necessarily reflect the present law or regulations. The Materials should not be construed as legal advice on any matter. The Materials may not reflect the most current legal developments. The content and interpretation of the Materials and the law addressed in the Materials are subject to revision.

No representation or warranty, express or implied, is made as to the accuracy or completeness of the Materials and therefore the Materials should not be relied upon. Eversheds Sutherland disclaims all liability in respect of actions taken or not taken based on any or all of the contents of the Materials to the fullest extent permitted by law. The Materials are not intended to be comprehensive or to include advice on which you may rely. You should always consult a suitably qualified Lawyer/Attorney on any specific legal matter.

Any views expressed through the Materials are the views of the individual author and may not reflect the views of Eversheds Sutherland or any other individual Lawyer/Attorney.