Contact
Contact us

Role of DPOs within EU Institutions: Mapping Obligations and Current Landscape

  • Published: March 25, 2026

1. EDPS Guidelines on the Role of DPOs

On 18 December 2025, the European Data Protection Supervisor (EDPS) published guidelines on the role of Data Protection Officers (DPOs) within the institutions of the European Union. This publication was accompanied by a decision issued on 16 January 2026, aiming to clarify and strengthen the position of DPOs in EU institutions. These documents fall within the scope of Regulation 2018/1725 (EUDPR), which is the equivalent of the GDPR for EU institutions.

The guidelines primarily target:

  • DPOs working within EU institutions;
  • Controllers of these entities;
  • More broadly, actors involved in data governance across EU institutions.

2. Objectives of the EDPS Guidelines

The guidelines and decision aim to:

  • Reiterate and update existing recommendations regarding the DPO’s role;
  • Harmonize practices among EU institutions;
  • Reinforce the effectiveness of the DPO’s role.

The EDPS emphasizes that DPOs are a fundamental pillar1 of the compliance system established under the EUDPR.

3. Focus on the Role of DPOs in EU Institutions

A Timely Reminder of the Central Role of the DPO

The EDPS highlights in its guidelines that the DPO is responsible for:

  • Ensuring internal compliance2;
  • Promoting a culture of data protection3;
  • Upholding the principle of accountability4.

As such, the DPO acts as advisor, auditor, and point of contact with the EDPS, in line with Regulation 2018/1725.

Appointment of the DPO

Under Article 43(1) of the EUDPR, every EU institution must appoint a DPO for a renewable term of 3 to 5 years5. This duration is intended to ensure independence and stability.
The appointment must be notified to the EDPS6 — a feature unique to this regulatory framework.

Position of the DPO within EU Institutions

The EDPS structures its guidelines around two main pillars:

1. Independence of the DPO7

The EDPS reiterates the need for:

  • Hierarchical reporting at the highest level8;
  • Formal recognition within the institution’s organizational chart9;
  • No functional subordination in performing their duties10.

The controller must also implement organizational measures to prevent conflicts of interest11.

2. Continuity of the DPO’s Tasks12

This includes:

  • Being consulted on planned processing operations and new technologies13;
  • Alerting management in case of non-compliance with the EUDPR;
  • Providing improvements and recommendations without fear of sanctions14.

DPO Functions

The guidelines detail the tasks defined under the EUDPR, including:

  • Informing and raising awareness among EU institution staff;
  • Advising the institution on processing operations, DPIAs, or data breaches;
  • Managing data subject rights requests15;
  • Interacting with the EDPS and the DPO network16 to ensure harmonized application of rules across institutions;
  • Ensuring adequate resources17, including material means, access to data, and human resources through a DPO team.

Strict Framework for DPO Dismissal

The EDPS introduces strict rules for EU institutions wishing to dismiss a DPO. The DPO may only be dismissed under two cumulative conditions:

  1. The DPO no longer meets the conditions required for the role; and
  2. The dismissal is subject to prior approval from the EDPS.

Additionally, the decision provides that any DPO subject to a dismissal request must be granted a right to be heard by the EDPS18, ensuring consideration within the institution.

This mechanism is a key safeguard of DPO independence. In particular, a DPO cannot be dismissed or sanctioned for properly carrying out their duties, even when taking a critical or constraining position toward the institution.

The EUCJ19 has clarified that the ban on dismissing or sanctioning a DPO for exercising their functions serves two main objectives:

  • Preserving the DPO’s functional independence;
  • Ensuring the effectiveness of data protection rules.

If the EDPS finds the dismissal unfounded or abusive, the institution may face an administrative fine of €25,000 per infringement, up to €250,000 per year20.

4. Implications and Relevance for Professionals

Although these guidelines specifically target EU institutions bound by the EUDPR, they also:

  • Reflect key GDPR principles;
  • Clarify expectations regarding the role and duties of DPOs across all types of organizations;
  • Serve as a benchmark for best practices.

Possible takeaways for broader application include:

  • Independence of the DPO;
  • Adequate resourcing, as the lack of material means remains a recurring challenge;
  • Early involvement of the DPO, ideally during the design phase of processing activities;
  • Building a culture of compliance, notably through awareness and training, which remain insufficient in many organizations.

The EDPS guidelines set out a particularly demanding and structured vision of the DPO’s role. They promote an ambitious model: a DPO who is independent, strategic, and fully integrated into data governance. Although addressed to EU institutions, their influence extends well beyond, offering a true reference standard for any organization seeking to strengthen GDPR compliance and professionalize the DPO function.

A question ? Contact us !

Notes

  1. Page 6, recital 5 of the guidelines and recital 4 of the decision. ↩︎
  2. Article 45 (1) (b), (h) and (2) of the EUDPR. ↩︎
  3. Article 45 (1)(a) and (c) of the EUDPR, recital 163 of the guidelines. ↩︎
  4. Recital 108 of the guidelines. ↩︎
  5. Article 44 (8) EUDPR. ↩︎
  6. Article 44 (9) of the EUDPR and recital 12 of the guidelines. ↩︎
  7. Articles 44 (3)-(5)-(7) EUDPR and page 16 of the guidelines. ↩︎
  8. Recital 97, page 18 of the guidelines. ↩︎
  9. Page 19 of the guidelines. ↩︎
  10. Page 16, recital 84 et seq. of the guidelines. ↩︎
  11. Article 44 (6) EUDPR, page 20 of the guidelines. ↩︎
  12. Recitals 40 et seq. ↩︎
  13. Recital 48 of the guidelines. ↩︎
  14. Recital 55 of the guidelines. ↩︎
  15. In accordance with Articles 44 (4), (7) and 45 (2) of the EUDPR, recitals 178 et seq. of the guidelines. ↩︎
  16. Recitals 8 and 204 et seq. of the guidelines. ↩︎
  17. Article 44 (2) EUDPR, page 13. ↩︎
  18. Decision adopted, annex, “3. Right to be heard”. ↩︎
  19. CJEU, 22 June 2022, Leistriz, C-534/20, §28. ↩︎
  20. Decision, annex, “8. Corrective measures, 8.3 (c)”. ↩︎

AUMANS AVOCATS (formerly FOUSSAT AVOCATS & DEROULEZ AVOCATS)
AARPI
Paris +33 (0)1 85 08 54 76 / Lyon +33 (0)4 28 29 14 92 /
Marseille +33 (0)4 84 25 67 89 / Bruxelles +32 (0)2 318 18 36

Contact us

Categories

Share

Related Articles

RGDP Définition

What is GDPR?

4 July 2025

Introduction : The main principles of the GDPR. Today we will discuss the principles of the GDPR. When we talk

Read more »
All our blog articles