EDPS Introduces Binding Rules to Safeguard DPO Independence in EU Bodies
The European Data Protection Supervisor (EDPS) has introduced new measures to reinforce the role and independence of Data Protection Officers (DPOs) within all European Union institutions, bodies, offices, and agencies (EUIs). These measures include updated guidance and binding rules aimed at clarifying the responsibilities and protections afforded to DPOs under EU law. The changes are intended to ensure that DPOs can effectively oversee data protection practices without undue influence or risk of arbitrary dismissal.
On December 18, 2025, the EDPS published Supervisory Guidance detailing the role, position, and tasks of DPOs in EUIs. This guidance explains how DPOs should be designated and positioned within their organizations, emphasizing the importance of their independence. It also outlines the responsibilities that DPOs must fulfill to support compliance with data protection regulations and to safeguard personal data within EU institutions.
Following the guidance, the EDPS adopted Decision 01/2026 on January 16, 2026, which establishes binding rules requiring prior consent from the EDPS before any dismissal of a DPO before the end of their term. This decision creates a clear and uniform procedure that EUIs must follow to protect DPOs from premature or unjustified removal, thereby strengthening their ability to carry out their duties without fear of retaliation.
Together, the guidance and binding rules set clear expectations and procedural safeguards for the protection of DPOs in EUIs. These measures apply immediately and should be incorporated into the internal policies and decision-making processes of all EU institutions. Wojciech Wiewiórowski, the European Data Protection Supervisor, emphasized that these steps will reinforce the DPO’s role as a key internal safeguard for personal data protection across EU institutions.
