The APDCAT defends in Brussels the role of Data Protection Officers as guarantors of fundamental rights

The Catalan Data Protection Authority (APDCAT) has promoted the debate around the role of the DPO in Europe, at the 19th International Conference on Computers, Privacy and Data Protection (CPDP), which is being held until today, May 22 in Brussels, coinciding with the tenth anniversary of the General Data Protection Regulation. The international meeting aims to promote the analysis of the successes of this pioneering standard, without losing sight of some limitations, especially in relation to the current context, with recent proposals for simplification in favor of innovation and competitiveness, without losing sight of the guarantee of people's rights.

In this framework, the APDCAT has organized the panel 'Data, EU digital standards and DPOs', moderated by the head of the DPO Register and training and cooperation programs of the Authority, Olga Rierola Forcada. The objective of the panel was to explore how new digital regulations - such as the AI ​​Regulation, the Data Regulation, the Digital Services and Digital Markets Regulation - and the constant technological evolution are impacting the functions of DPOs, having to integrate new regulatory frameworks with the principles and obligations of the GDPR, which continues to maintain its centrality. In this sense, the panel addressed issues such as what are the main challenges and difficulties that DPOs face in this new regulatory scenario, which of the new EU digital regulations most directly impact their daily work and how they feel about this situation, and what they need from the point of view of organizations, so that they can face these new challenges arising from the integration of new regulations and preserving their independence. Finally, it was analyzed how Data Protection Authorities can accompany DPOs in this new regulatory scenario.

The panel included the participation of two data protection officers, Esther García Encinas, head of the Privacy and AI Office at CaixaBank, and Emese Savoia-Keleti, DPO of the Diplomatic Service of the European Union, as well as two Data Protection Authorities, who helped to contextualize the vision from the point of view of the guarantee bodies; Marit Hansen, Data Protection Commissioner of the German state of Schleswig-Holstein; and Daniele Nardi, legal advisor to the European Data Protection Supervisor.

The moderator opened the panel by highlighting the APDCAT's firm commitment to the figure of the DPO as a key actor in the defense of the right to data protection and related fundamental rights, and in this sense referred to the platform promoted by this Authority, 'DPD en Xarxa', through which the continuous training of DPOs, debate in thematic working groups and the creation of synergies between professionals are promoted.

In developing the table, Esther García Encinas highlighted that the main challenge for DPOs is the construction of effective and agile governance models, capable of integrating overlapping regulatory frameworks and adapting to technological evolution and changes, while preserving the independence of the DPD. She also highlighted the necessary evolution of the role of the DPO in the protection of fundamental rights, perhaps becoming a Fundamental Rights Officer (FRO) in the future.

She also highlighted, as an example of a practical challenge of overlapping regulations, the interaction between Article 35 of the GDPR and Article 27 of the AI ​​Regulation, noting that organizations still need to determine how to align both assessments. In this sense, he mentioned the work being carried out within the framework of 'DPD en xarxa', in which work is being done to integrate Data Protection Impact Assessments (DPIA) and Fundamental Rights Impact Assessments (FRIA).

On the other hand, Emese Savoia-Keleti, highlighted that the new European digital rules - the AI ​​Regulation, the Cybersecurity Law and the Digital Services Regulation, among others - are not simply adding workload to DPOs, but are fundamentally redefining what it means to be a DPO. In this sense, he stressed that the role of the DPO is transforming into a figure of transversal strategic advisor, consulted by the AI, IT security, procurement and communication departments, which generates both greater influence and growing concern as responsibilities are assumed in areas for which DPOs are not always fully prepared.

The key message of the speaker was that the DPO should be an enabler of digital innovation, not an obstacle, and should fully support data controllers. In this regard, she pointed out that the fundamental question is not whether DPOs can adapt to this new environment, but whether organizations will provide them with the tools, resources and authority to do so successfully.

For her part, Marit Hansen, introducing her perspective as a Data Protection Authority (DPA), highlighted how her Authority supports the role of the DPO in this new digital regulatory scenario and how the Data Protection Authorities themselves are also impacted by these new regulations, and how they share with the DPOs the challenges arising from the overlapping of regulations and the existence of different supervisory authorities.

She pointed out that the DPOs and the DPAs are in a very solid position to guarantee fundamental rights, because they have extensive expertise in the legal and technical aspects of data processing and are used to working in an interdisciplinary manner.

She concluded that the relevance of the work of the DPOs will increase as a direct consequence of the new requirements in terms of data sharing and security, and that communication between the different agents involved is key to making the entire system work.

Finally, Daniele Nardi focused on the need to assess the possible conflict of interest when new functions are attributed to the DPO, in light of what has been established in the "X-FAB" judgment (C-453/21), on the analysis that must be carried out to avoid conflicts of interest in accordance with the CJEU, and on the need to provide DPOs with the necessary resources to be able to assume these new functions.

He also addressed the concept of personal data established by the CJEU in the EDPS v. SRB judgment, C-413/23 P, and offered some advice to DPOs on how to manage the uncertainty that persists around the notion of personal data when faced with specific cases.