The European Data Protection Supervisor today strengthened protections for data protection officers working across European Union institutions by establishing mandatory procedures that could block their removal from office. The regulatory action addresses mounting concerns about institutional independence within EU privacy governance structures.

According to a press release issued today, the EDPS adopted Decision 01/2026 on January 16, 2026, creating binding rules on the application of the requirement of prior consent by the EDPS for the dismissal of data protection officers. The decision, published in the Official Journal on January 29, 2026, creates a formal procedural framework that all EU institutions, bodies, offices and agencies must follow when seeking to terminate a DPO before the scheduled end of their designation term.

"Since 2002, DPOs have been a cornerstone of effective data protection governance within EUIs," stated Wojciech Wiewiórowski, the European Data Protection Supervisor. "The updated Guidance and Rules on Consent for DPO Dismissal aim to strengthen their role by ensuring the independent, consistent and effective application of EU data protection law."

The regulatory intervention builds on supervisory guidance the EDPS issued on December 18, 2025, clarifying the DPO's role, position and tasks within EU institutions. That document provided practical guidance on the designation of DPOs, their institutional positioning, independence guarantees, and assigned responsibilities. The January decision transforms those expectations into enforceable requirements.

Procedural mechanics establish substantial barriers

The new rules establish detailed submission requirements for any EU institution seeking to dismiss its designated DPO. Institutions must send requests via encrypted email to [email protected] or through other secure communication channels agreed with the EDPS. Each request must include the name and contact details of both the institution and the DPO concerned, the term of the DPO's designation and its scheduled expiry date, and the institution's justification for the intended dismissal.

EU institutions face particularly demanding documentation obligations. According to the published rules, requests must include the institution's explanation as to why the DPO no longer fulfills the conditions required for performing their duties, any grounds for dismissal unrelated to DPO performance, and all relevant supporting documentation. This documentation requirement encompasses DPO designation decisions, performance appraisals, organizational charts, job descriptions, codes of conduct, internal correspondence, meeting minutes, and any ongoing or concluded investigations or court proceedings.

The rules require institutions to provide a formal commitment not to proceed with the dismissal pending the EDPS's decision and to maintain the DPO's functions, access, responsibilities and resources unchanged. This commitment provision effectively freezes personnel decisions during the review period.

Incomplete requests trigger formal notices to comply within prescribed time limits. If institutions fail to correct deficiencies within those deadlines, the EDPS shall consider the request formally inadmissible and deny consent. The rules generally prohibit the EDPS from considering submissions following the initial complete request, though exceptions exist for relevant facts unknown at the time of submission.

Assessment criteria emphasize independence protection

The EDPS evaluates whether the DPO concerned continues to fulfill the conditions required for performing their duties. According to the decision's annex, this assessment examines professional qualities and expertise in data protection law and practice sufficient to perform the role, the ability to perform tasks assigned to DPOs under EU regulation including informing and advising controllers, monitoring compliance, and cooperating with the EDPS, and whether the intended dismissal aims to penalize the DPO for performing their tasks.

The EDPS may consider grounds unrelated to DPO performance that institutions put forward to justify intended dismissals. However, the supervisor shall give consent only where satisfied that institutions demonstrate objective and proportionate grounds, unrelated to DPO duties, which do not directly or indirectly undermine independence and effective performance of DPO tasks within the institution.

The framework draws from existing EU privacy law establishing fundamental DPO protections. Regulation (EU) 2018/1725 provides that designated DPOs may only be dismissed from their posts if they no longer fulfill the conditions required for performing their duties, and only with the EDPS's prior consent. The regulation establishes that DPOs may not be dismissed or penalized by controllers or processors for performing their tasks.

The Court of Justice clarified these protections in its June 22, 2022 judgment in Leistritz AG. That ruling established that the prohibition against dismissal or penalty means DPOs must be protected against any decision terminating their duties by which they would be placed at a disadvantage or which would constitute a penalty.

Procedural safeguards create multilayered review

The rules establish a right to be heard for both the DPO concerned and the institution seeking dismissal. Before deciding on consent, the EDPS shall give the DPO concerned the opportunity to be heard by communicating the intended decision together with a summary of justifying reasons. The supervisor may give the institution the opportunity to be heard upon reasoned request detailing why submissions under earlier sections prove insufficient.

The EDPS may hold hearings on its own initiative or upon reasoned request from either the institution or the DPO concerned, submitted together with comprehensive written observations. The supervisor may refuse hearings where it deems parties have already been able to present all relevant facts or where their views can be or have been effectively presented in writing. Where hearings occur, the EDPS Decision of September 27, 2023 on the Rules on the Hearing in EDPS Investigations applies by analogy.

As a general rule, the EDPS shall notify institutions and DPOs of decisions within six weeks of receiving complete requests or the expiry of time limits for corrections. Where necessary, taking into account request complexity and institutional cooperation levels, the supervisor may extend this period by up to two further periods of eight weeks. The rules specify that the EDPS shall not give retroactive consent, with any consent given applying for the future.

Enforcement provisions address circumvention attempts

The decision establishes corrective measures addressing institutions that attempt to circumvent the consent requirement. Where the EDPS has sufficiently substantiated reasons to believe an institution intends to dismiss its designated DPO without first obtaining prior consent, including based on information from the DPO concerned, the supervisor shall take an immediate decision to refer the matter to the institution.

Immediate decisions prove warranted where DPOs face imminent dismissal, credible evidence exists of retaliation linked to DPO task performance, delay would risk causing irreversible harm to DPO function independence, or any other measure is taken or envisaged that could impair independence or effective performance of DPO tasks.

Where the EDPS finds that institutions have dismissed designated DPOs without obtaining prior consent, the supervisor shall notify the institution of the finding that dismissal without prior consent constitutes an infringement, order the institution to bring the situation into compliance by annulling the dismissal and submitting a consent request within a specified period, and inform the institution that failure to comply with orders are subject to administrative fines of up to 25,000 euros per infringement and up to 250,000 euros per year.

The rules authorize the EDPS to use any other corrective powers necessary in light of particular case circumstances. These enforcement provisions apply to Europol under Regulation (EU) 2016/794, Eurojust under Regulation (EU) 2018/1727, and the European Public Prosecutor's Office under Regulation (EU) 2017/1939, in addition to standard EU institutions and bodies.

Publication requirements balance transparency against confidentiality

The EDPS shall inform DPOs of all EU institutions of its decisions taken on the basis of the consent requirement. The supervisor shall make redacted or summarized versions of decisions public, taking into account legitimate interests including protection of personal data, rights and freedom of others, confidentiality, professional and business secrecy, or public security.

According to the rules, the EDPS shall report in its annual report on the operation of the present rules. The decision enters into force on the twentieth day following its publication in the Official Journal of the European Union, establishing February 18, 2026 as the effective date.

The regulatory framework arrives amid broader European privacy enforcement developments. The European Commission proposed major GDPR changes in November 2025 addressing artificial intelligence development and individual privacy rights. The European Data Protection Board clarified DSA compliance requirements in September 2025, establishing how digital marketers must navigate complex intersections between Digital Services Act and GDPR obligations.

Privacy enforcement patterns reveal persistent challenges across European privacy governance structures. GDPR enforcement data showed low fine rates across European authorities between 2018 and 2023, with only 1.3 percent of cases resulting in monetary penalties. The EU's attempt to fix GDPR enforcement through procedural regulation faced criticism in April 2025 for creating additional bureaucratic hurdles.

The EDPS previously demonstrated willingness to challenge EU institutions over privacy violations. The supervisor ruled that the European Commission illegally targeted political advertisements on X in December 2024, finding the Commission violated multiple articles of Regulation (EU) 2018/1725 when promoting its proposed chat control regulation. The EDPS investigation of Microsoft's services to EU institutions concluded in August 2025, though Microsoft secured regulatory approval despite admitting inability to protect European data from US government demands.

Broader institutional context reflects governance tensions

The DPO protection framework reflects fundamental tensions in European privacy governance between institutional interests and individual rights safeguards. The designation requirement applies to each Union institution, body, office and agency under the European Union Data Protection Regulation, as well as to Europol under its specific regulation, Eurojust under its regulation, and the European Public Prosecutor's Office under its regulation.

Given the central role of DPOs in advising controllers and monitoring application of rules governing personal data processing, the decision emphasizes that DPOs must remain able to perform tasks independently and effectively in all contexts. This proves equally important for administrative personal data relating to internal functioning of Union institutions and bodies, as well as operational personal data processed in performance of Union institutions and bodies tasks when carrying out activities falling within the scope of EU treaty provisions.

The DPO's ability to provide impartial advice, monitor compliance, and act as a point of contact for data subjects and the EDPS should be safeguarded and effectively supported, according to the decision's preamble. Independence of the DPO represents a structural guarantee essential for ensuring compliance with applicable provisions on data protection and enabling the DPO to perform statutory duties without fear of retaliation.

Protecting DPO independence serves as a prerequisite for effective data protection governance frameworks within Union institutions and bodies and an important safeguard for individuals' fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The Treaty on the Functioning of the European Union provides that an independent authority is to control compliance with rules on protection of personal data processed by Union institutions, bodies, offices and agencies.

The framework addresses experience the EDPS acquired concerning enforcement of provisions concerning DPOs. In light of this experience, and to ensure consistent application of the EDPS prior consent requirement for DPO dismissals across all Union institutions and bodies, and to prevent circumvention of the mandatory requirement for prior EDPS consent, the information to be provided must be laid down in advance in a clear and foreseeable manner.

The selection procedure for a new EDPS mandate for the next term of five years remains ongoing. Wojciech Wiewiórowski was appointed by joint decision of the European Parliament and Council to serve a five-year term beginning December 6, 2019. The EDPS is the independent supervisory authority with responsibility for monitoring processing of personal data by EU institutions and bodies, advising on policies and legislation affecting privacy, and cooperating with similar authorities to ensure consistent data protection.

Timeline

Summary

Who: The European Data Protection Supervisor established binding rules affecting all EU institutions, bodies, offices and agencies that have designated data protection officers. The framework applies specifically to Europol, Eurojust, the European Public Prosecutor's Office, and all other Union institutions under EDPS supervisory competence.

What: The EDPS adopted Decision 01/2026 on January 16, 2026, establishing detailed procedural requirements that EU institutions must follow when seeking prior consent to dismiss their designated data protection officers before the scheduled end of their designation terms. The decision creates comprehensive submission requirements, assessment criteria, procedural safeguards, enforcement provisions, and publication requirements governing the consent process.

When: The EDPS issued supervisory guidance on December 18, 2025, and adopted the binding decision on January 16, 2026. The decision was published in the Official Journal on January 29, 2026, and enters into force on February 18, 2026. The framework applies immediately upon entry into force and should be reflected in the internal practices and decision-making of all EU institutions.

Where: The rules apply throughout all European Union institutions, bodies, offices and agencies under EDPS supervisory competence. This includes EU institutions and bodies under Regulation (EU) 2018/1725, Europol under Regulation (EU) 2016/794, Eurojust under Regulation (EU) 2018/1727, and the European Public Prosecutor's Office under Regulation (EU) 2017/1939.

Why: The EDPS acted to strengthen DPO effectiveness and independence by ensuring consistent application of prior consent requirements, preventing circumvention of mandatory consent procedures, and protecting DPOs from retaliation for performing their statutory duties. The framework addresses experience the EDPS acquired concerning enforcement of provisions concerning DPOs and establishes clear, predictable procedures allowing the EDPS to verify whether legal conditions for dismissal are fulfilled based on objective grounds that do not impair DPO independence or effective performance.

Share this article
The link has been copied!