Background

The EDPS investigation was opened following the Schrems II judgment and Recommendations previously issued by the EDPS on the use of the software company’s products and services by EU institutions and bodies. The investigation was part of the EDPS’ participation in the EDPB 2022 Coordinated Enforcement Action into the use of cloud- based services by the public sector.

Summary of EDPS findings

The EDPS found that the Commission had infringed several provisions of Regulation (EU) 2018/1725, including those on transfers of personal data outside the EEA. In particular, the EDPS found that the Commission had failed to:

• provide appropriate safeguards ensuring that data transferred enjoy an essentially equivalent level of protection to that in the EEA;

• provide what types of personal data can be transferred to which recipients in which third country and for which purposes;

• map the proposed transfers, conduct a transfer impact assessment and include appropriate safeguards in the Standard Contractual Clauses (SCCs);

• obtain authorisation of those SCCs from the EDPB; and

• ensure that transfers took place “solely to allow tasks within the competence of the controller to be carried out.”

In addition, the EDPS found that the Commission had failed to comply with a number of other requirements of Regulation (EU) 2018/1725, including failing to adequately specify the types of personal data in relation to its intended purposes, leading to ambiguity and potential non- compliance with the Regulation (EU) 2018/1725; and failing to provide sufficiently clearly documented instructions for the processing.

EDPS Corrective Measures

As a result of its findings, the EDPS imposed a number of corrective measures on the Commission, including:

• from 9 December 2024, suspend all data flows resulting from its use of the software to the software company and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision; and

• bring the processing operations resulting from its use of the software into compliance with Regulation (EU) 2018/1725.

Taking into account the need not to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise its official authority, as well as the need to allow appropriate time for the Commission to implement the suspension of relevant data flows, the EDPS held that the Commission has until 9 December 2024 to demonstrate compliance with both orders.

March 2023 saw the launch of the European Data Protection Board’s (EDPB’s) second coordinated enforcement action (CEF 2023), which focused on the designation and position of Data Protection Officers (DPOs). Data Protection Authorities (DPAs) across the EEA have launched coordinated investigations into this topic. In particular, DPA’s have been investigating whether DPOs have the position in their organisations required by Art. 37-39 GDPR and the resources needed to carry out their tasks.

On 17 January 2024, the EDPB adopted a report on the findings of supervisory authorities participating in the CEF 2023. In particular, the report analyses the challenges faced by DPOs and organisations that have designated a DPO, and how these may impact compliance with data protection laws. The report also includes recommendations that organisations, DPO’s and supervisory authorities may take into account to address these challenges.

Challenges faced by DPOs

Although the EDPB’s report recognises positive findings for many DPOs, it concludes that a number of DPOs still face obstacles, including:

• an absence of designation of a DPO, even where appointment is mandatory;
• insufficient resources allocated to the DPO;
• insufficient expert knowledge and training of the DPO;
• DPOs not being fully or explicitly entrusted with the tasks required under  data protection law;
• conflict of interests and lack of independence of the DPO; and
• a lack of reporting by the DPO to the organisations’ highest management level; and
• a requirement for further guidance from supervisory authorities.

Recommendations to address these challenges

In order to address the challenges identified, the report lists recommendations for organisations, DPOs and DPAs, these include:  

• encouraging DPAs to raise awareness amongst organisations of their obligation to appoint a DPO, through the promotion of existing guidance and enforcement actions, and providing further guidance, additional training materials and training sessions that could help a DPO navigate complex issues; and

• encouraging organisations to ensure DPOs have sufficient resources to properly exercise their function and are given sufficient opportunities, time and resource to refresh their knowledge and learn about the latest developments.

EDPB conclusions

Despite the challenges identified in the report, the EDPB concludes that the overall results of the survey are encouraging, with the majority of DPOs confirming that they receive regular training and have the necessary skills and knowledge to do their job. However, the report emphasises the need to strengthen the role and recognition of DPOs, in order to ensure compliance with data protection laws.

The report also recognises that the role of the DPO seems to be changing in practice, with DPOs being tasked with key roles under new EU legislation  – introduced as part of the EU Data Strategy –  such as the AI Act, the Digital Services Act, the Digital Market Act and the Data Act. The EDPB concludes that organisations will need to consider how DPOs are tasked, utilised and supported, to ensure that these new roles avoid issues such as conflicts of interests or insufficient resources at the disposal of the DPOs.

The EDPB has confirmed that the CEF 2024 action will focus on the implementation of the right of access by data controllers.