The Spanish Data Protection Agency (AEPD) has issued a report clarifying some misconceptions about the status and position of a data protection officer (DPO) within an organisation. This report sheds light on the functions of a DPO, including hierarchical position and labour status.
Coordinated enforcement action on the role of DPOs
The report has been issued in the context of the coordinated enforcement action launched by the European Data Protection Board, of which the AEPD is part.
This action aims to supervise whether the designation and position of DPOs within European public and private organisations is compliant with the GDPR.
Advisory and supervisory functions
In line with the recent CJEU ruling X-FAB Dresden (C-453/21), the AEPD report insists on the independence of DPOs and their advisory and supervisory role. DPO functions are confined to assisting controllers and processors in data protection matters, and not undertaking decision-making.
The AEPD recommends that DPO functions are clearly differentiated from data protection decision-making functions within an organisation, which are responsibility of the data controller and the data processor.
Reporting to the highest management level
The GDPR sets out that DPOs should report directly to the highest management level of the controller or the processor, namely the company’s administrative body.
This has sometimes been interpreted as DPOs must hierarchically depend on this body. AEPD dismantles this myth and notes that DPOs may depend on lower hierarchical bodies within an organisation, as long as reporting is made to the highest hierarchical body of the organisation.
DPO as an employee
A DPO can be an existing employee or externally appointed. In the case of employees, AEPD notes that they may be supervised and monitored by their employers. However, such supervision powers cannot result in a direct or indirect imposition of instructions on how to carry out their functions as DPO.
Further, DPOs can also be sanctioned or dismissed in case of gross negligence or fraud in the performance of their duties. This position has also been confirmed by the recent CJEU ruling X-FAB Dresden (C-453/21).
Looking ahead
The position of the AEPD regarding DPOs is substantially similar to that of the EDPB in its guidelines on DPOs. Nevertheless, we strongly recommend that data controllers established or carrying out processing activities in Spain consider the AEPD recommendations. AEPD plans to scrutinise more than 30,000 public and private entities in Spain under the Coordinated Enforcement Action in 2023.
If you would like to hear more about such recommendations, let us know!