The Catalan Data Protection Authority ( APDCAT) has verified compliance with the obligation to designate and communicate the appointment of a data protection officer (DPO) in the majority of Catalan public entities analysed in the last audit carried out. Specifically, the APDCAT has confirmed that 96% of the 224 public sector entities analysed (between professional associations, consortia and private universities) have adapted to the requirements established by the standard regarding this obligation.
However, the APDCAT has detected that 8 of the audited entities do not comply with this obligation. That is why the Authority has initiated disciplinary proceedings against these entities, due to lack of communication to the APDCAT of the designation and contact details of the DPO.
The audit, carried out between March and September 2022, has also had a multiplier effect on entities that have not been the subject of the audit. This is demonstrated by the fact that in this period the Authority has received 282 communications from DPO, an increase of almost 100% over the same period of the previous year. This is explained by the increased awareness of this obligation, both between DPOs that have functions in more than one entity, and between entities that were part of audited consortia.
Three phases of execution
The audit report on compliance with the obligation to appoint a data protection officer and communicate his appointment to the APDCAT presents the results achieved in three different phases. Thus, after an initial analysis of the data from the existing DPO registry, the entities that did not comply were required to communicate the designated DPO to the APDCAT. This allowed us to go from an initial compliance of almost 61% of entities at the beginning of the audit to the current 96%.
The figure of the DPO is essential in the field of data protection. It is key to ensuring that organizations that process personal data comply with the obligations established in the regulations. Among its functions, it acts as an interlocutor with the control authority, in this case the APDCAT. It also advises the organization on data protection and attends to citizens' requests regarding their data protection rights. The standard obliges all public sector bodies to designate and communicate a DPO. Other organizations that process special categories of data (health, racial origin, etc.) on a large scale, or that process data that require the usual and systematic observation of people on a large scale, are also obliged to do so.