On January 2024, the European Data Protection Board (“EDPB”) adopted its report on the Designation and position of the DPO.
The report lists recommendations to strengthen the autonomy of DPOs and ensure they have adequate resources to fulfil their responsibilities, including, enter alia, the following:
- Absence of DPO designation – the EDPB recommends that DPAs create guidance to raise awareness and educate organizations upon the requirements for appointing a DPO, as well as implementing enforcement actions against organizations that did not appoint a DPO;
- Insufficient resources– the EDPB found that controllers and processors must guarantee that DPOs have sufficient resources to carry out their functions in the organization;
- Lack of expertise and training- due to the insufficient expert knowledge and training of the DPO found in the report, its recommended that the DPAs and EDPB provide further guidance and training to DPOs, in addition to controllers and processors documenting their progress, increasing certification mechanisms and stakeholder cooperation. Controllers and processors should ensure that DPOs are given sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments, including, where relevant to their activities and/or purposes, on new EU digital- and AI-related legislation;
- Conflict of interest and lack of independence: the EDPB’s Working Part Guidance Guidelines on DPOs need to be developed to further clarify the term ‘conflict of interests’, in addition, to avoid conflicts of interest in the DPOs role, DPAs should take further steps to ensure controllers and processors have appropriate safeguards;
- Lack of reporting to the organizations’ highest management level: therefore EDPB recommends implementing further guidance such as industry standards and policies, define more precisely the conditions, frequency, content, and effectiveness of reports to management; and
- Lack of further guidance from DPAs.
Due to DPOs crucial role, Organizations should consider adopting the EDPB’s recommendations in strengthening DPOs position, recognition and efficacy.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.