DPO enforcement programme – an additional 170 organisations brought into compliance

26th November 2021

The Data Protection Commission has successfully completed the most recent stage in its Data Protection Officer (DPO) enforcement programme, aimed at improving compliance with Article 37 of the GDPR.

The project, which was initiated in 2020, assessed the compliance of public bodies with their obligations under Article 37.7 of the GDPR, which mandates that public bodies are among the specific categories of data controller required to appoint a DPO and notify the DPO’s details to the relevant Supervisory Authority.

This initial phase identified over 77 potentially non-compliant public bodies from a total of almost 250. Following the intervention of the DPC, over 70 organisations brought themselves into compliance, raising the sector’s compliance rate from 69% to near 100%.

In 2021, the DPC expanded the project to include the private sector, acknowledging that there is no automatic requirement for non-public sector organisations to appoint a DPO. The appointment of DPOs in private sector organisations is determined by the scale and nature of the processing activities involved. With this in mind, the DPC identified several sectors likely to meet the threshold to appoint a DPO. These sectors included Private Hospitals & Out-of-Hours GP Services, Banking Entities, and Credit Unions. A summary of the findings is as follows:

Private Hospitals and Out of Hours GP Services

  • 24 Private Hospitals and out-of-hours GP services were identified during the compliance review.
  • Of these, 42% of identified services had appointed a DPO and notified the DPC in accordance with Article 37(7) GDPR.
  • Following DPC intervention, 100% of identified services have brought themselves in to compliance with the requirements.

Banking Entities

  • 34 Banking entities were identified during the compliance review.
  • On initial inspection, 74% of identified entities were compliant.
  • Following engagement, 80% of identified entities are in compliance, three entities have given reasons for not appointing a DPO and the remainder are subject to ongoing engagement with the DPC.
  • The DPC will be reviewing the reasons given for not appointing a DPO to ensure the correct application of Article 37(1)(b) and (c).

Credit Unions

Credit Unions were contacted separately to the other banking entities due to the number of credit unions in the country.

  • 242 credit unions were identified during the review.
  • On initial inspection, 29% of credit unions were in compliance with Article 37(7) and 3% were in partial compliance.
  • Following first stage engagement, the rate of compliance has risen to 64%, with 10% in partial compliance.
  • 13% of credit unions identified have chosen not to designate a DPO.
  • The credit unions engagement remains ongoing and the DPC will be reviewing the reasons given for not appointing a DPO to ensure the correct application of Article 37(1)(b) and (c).

In total, to date more than 170 additional organisations now comply with Article 37(7) as a result of the DPC’s intervention, making DPOs more accessible to individuals seeking to exercise their data protection rights.

In cases of where the DPC identifies persistent non-compliance, further enforcement measures will be taken as proportionate and necessary to ensure compliance with the requirements of the GDPR.

Before extending compliance checks to other sectors, the DPC will consider whether further guidance is necessary to address any issues of concern.

Further information on the role of a DPO is available here. Data controllers that wish to notify the DPC of their DPO details can do so by submitting the following form.