Spanish data regulator issues guidance on Data Protection Officers, Ceyhun Pehlivan, Elena Valín

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

The Spanish Data Protection Agency (AEPD) has issued a report clarifying some misconceptions about the status and position of a data protection officer (DPO) within an organisation. This report sheds light on the functions of a DPO, including hierarchical position and labour status.

Coordinated enforcement action on the role of DPOs

The report has been issued in the context of the coordinated enforcement action launched by the European Data Protection Board, of which the AEPD is part.

This action aims to supervise whether the designation and position of DPOs within European public and private organisations is compliant with the GDPR.

Advisory and supervisory functions

In line with the recent CJEU ruling X-FAB Dresden (C-453/21), the AEPD report insists on the independence of DPOs and their advisory and supervisory role. DPO functions are confined to assisting controllers and processors in data protection matters, and not undertaking decision-making.

The AEPD recommends that DPO functions are clearly differentiated from data protection decision-making functions within an organisation, which are responsibility of the data controller and the data processor.

Reporting to the highest management level

The GDPR sets out that DPOs should report directly to the highest management level of the controller or the processor, namely the company’s administrative body.

This has sometimes been interpreted as DPOs must hierarchically depend on this body. AEPD dismantles this myth and notes that DPOs may depend on lower hierarchical bodies within an organisation, as long as reporting is made to the highest hierarchical body of the organisation.

DPO as an employee

A DPO can be an existing employee or externally appointed. In the case of employees, AEPD notes that they may be supervised and monitored by their employers. However, such supervision powers cannot result in a direct or indirect imposition of instructions on how to carry out their functions as DPO.

Further, DPOs can also be sanctioned or dismissed in case of gross negligence or fraud in the performance of their duties. This position has also been confirmed by the recent CJEU ruling X-FAB Dresden (C-453/21).

Looking ahead

The position of the AEPD regarding DPOs is substantially similar to that of the EDPB in its guidelines on DPOs. Nevertheless, we strongly recommend that data controllers established or carrying out processing activities in Spain consider the AEPD recommendations. AEPD plans to scrutinise more than 30,000 public and private entities in Spain under the Coordinated Enforcement Action in 2023.

If you would like to hear more about such recommendations, let us know!

{

As intermediaries between DPAs, individuals and the business units of an organisation, data protection officers have an essential role in contributing to compliance with data protection law and promoting effective protection of data subject rights.

https://edpb.europa.eu/news/news/2023/launch-coordinated-enforcement-role-data-protection-officers_en