The Court of Justice of the European Union (CJEU) recently ruled that Data Protection Officers (DPOs) must be independent in order to fulfill their duties and tasks. However, they are not entrusted with determining how personal data should be processed, as this is a decision left up to the national court to assess in every case.
IAPP Director of Research and Insights Joe Jones believes this situation will continue to be difficult for both privacy professionals and organizations alike, as they strive to comply with regulations within practical business practices. He added that many organizations may face an impossible position if their DPO has too many roles and responsibilities that involve making decisions about data processing.
This ruling comes shortly before the European Data Protection Board plans to conduct enforcement actions targeting the designation of DPOs. Despite these difficulties, it’s essential that organizations remain committed to protecting personal data in line with all applicable laws.