On February 13, 2026, the European Data Protection Supervisor (EDPS) issued a press release stating that they updated supervisory guidance clarifying expectations around the role, independence, and protection of Data Protection Officers (DPOs).
While the guidance formally applies to EU institutions governed by Regulation (EU) 2018/1725, it reflects a broader supervisory posture that private-sector organizations should not ignore, as it illustrates how European regulators are applying and emphasizing the parallel DPO independence requirements set out in GDPR Article 38.
The message from regulators is clear: simply appointing a DPO is not enough. Organizations must be able to demonstrate that the role is structurally independent, properly positioned, and meaningfully involved in data protection governance.
For SaaS companies serving EU customers, operating internationally, or scaling toward enterprise markets, this guidance offers an important signal about where privacy oversight expectations are heading.
The Regulatory Shift: From Title to Function
Under Article 37–39 of the GDPR, certain organizations must appoint a DPO. Others choose to do so voluntarily as part of a mature privacy program. Historically, enforcement focused on whether a DPO was appointed when required.
These independence principles are not new. The Article 29 Working Party’s 2016 Guidelines on Data Protection Officers (WP243), later endorsed by the European Data Protection Board (EDPB), already articulated expectations around reporting lines, conflict-of-interest safeguards, and functional independence under GDPR Articles 37–39. What the updated EDPS guidance reflects is a renewed supervisory emphasis on how those principles are operationalized, documented, and demonstrated in practice.
While EDPS guidance applies directly to EU institutions, supervisory authorities across the EU interpret materially similar independence requirements under GDPR Article 38. As enforcement and enterprise scrutiny increasingly focus on governance functionality rather than formal designation, institutional guidance often provides insight into how similar principles may be examined in private-sector contexts.
In fact, supervisory authorities have actively enforced these independence principles in the private sector. Most recently, in March 2025, the Norwegian Data Protection Authority fined Telenor ASA approximately $380,000 for failing to ensure DPO independence, not addressing conflicts of interest, and lacking a direct reporting line to senior management. This followed a wave of DPO-related enforcement actions in early 2025, including fines against Toyota Bank Polska (€132,000), Asper Biogene (€85,000), and multiple Austrian and Croatian organizations for appointing senior management or decision-makers as DPOs; all demonstrating that Article 38(6) independence requirements have real enforcement teeth across European jurisdictions.
The Telenor case is particularly instructive: despite having a designated DPO, the authority found that structural barriers prevented the role from functioning independently; precisely the operational reality that the new EDPS guidance emphasizes regulators will scrutinize.
The updated EDPS guidance signals a shift in focus and a growing emphasis on scrutinizing how the DPO function operates in practice.
That includes examining:
- Whether the DPO determines or influences the purposes and means of processing
- Whether the DPO has direct access to the highest level of management
- Whether the organization documented conflict-of-interest assessments
- Whether there are structural safeguards protecting the DPO from dismissal tied to their oversight activities
- Whether the DPO is involved in all matters relating to personal data protection
This reflects a broader enforcement trend: regulators compare governance documentation against operational reality.
Why This Matters for SaaS Organizations
Fast-growing SaaS companies often combine roles for efficiency. Legal, compliance, security, and risk functions may overlap. That is practical, but regulators are increasingly drawing lines around what cannot be combined.
For example:
- A DPO who negotiates and approves data processing terms could be viewed as influencing processing decisions, depending on organizational structure and safeguards.
- A DPO who leads IT, security, or product strategy may be viewed as determining means of processing.
- A DPO who lacks direct executive reporting may not meet independence expectations.
- A DPO role that exists “on paper” but is not formally involved in DPIAs, vendor reviews, or product launches may not withstand scrutiny.
Regulators recognize that early-stage organizations often balance governance ideals with practical resource constraints. The goal is not perfect separation on day one, but intentional design and documented safeguards as the organization scales.
As companies scale, these structural details increasingly surface during enterprise procurement reviews, customer security questionnaires, regulatory inquiries, and cross-border transfer assessments.
What Regulators Are Really Looking For
The updated guidance reflects three core themes.
1. Demonstrable Independence
Independence is not theoretical. It must be observable in structure, documentation, and reporting lines.
Organizations should be able to answer:
- Has a formal conflict-of-interest analysis been conducted?
- Is the DPO excluded from decisions that define purposes and means of processing?
- Are safeguards documented in governance materials?
If independence cannot be demonstrated, it may be challenged.
2. Structural Positioning
Under Article 38 of the GDPR, the DPO must:
- Report to the highest management level
- Have direct access to executive leadership
- Have sufficient resources and support
- Operate without receiving instructions on how to carry out DPO tasks
Organizational charts, board reporting structures, and internal policies should reflect this positioning clearly.
3. Protection Against Retaliation or Improper Dismissal
The guidance emphasizes that DPOs cannot be dismissed or penalized for performing their duties.
Organizations should ensure:
- Removal criteria are objective and documented
- Governance frameworks articulate DPO protections
- Decisions related to the DPO role are not tied to compliance findings or internal disagreements
A Practical Governance Self-Check
SaaS organizations can use the following framework to evaluate their DPO structure:
- Governance: Is the DPO’s reporting line documented and executive-facing?
- Conflict Assessment: Has a written independence analysis been completed?
- Operational Involvement: Is the DPO formally embedded in DPIAs, vendor reviews, and product launches?
- Documentation: Are DPO protections reflected in policies and governance materials?
- Resource Allocation: Does the DPO have adequate time, staffing, and access?
Even if your organization is not legally required to appoint a DPO, applying these principles strengthens privacy governance maturity.
In Closing: Structural Clarity & Demonstrable Accountability in Privacy Leadership
As regulators focus more closely on governance functionality, organizations that proactively validate DPO independence will be better positioned to navigate enterprise scrutiny and regulatory engagement. Privacy leadership is no longer about titles, it is about structural clarity and demonstrable accountability. Organizations that operationalize DPO independence early reduce regulatory friction, accelerate enterprise trust conversations, and avoid reactive remediation later.
Operationalizing DPO independence does not require building an entirely separate governance apparatus. In practice, it means embedding privacy oversight into the same continuous compliance workflows that support frameworks like SOC 2, ISO 27001, and ISO 27701.
Documented reporting lines, conflict-of-interest assessments, DPIA reviews, and vendor risk evaluations can all be maintained as living, auditable artifacts rather than static policies. When DPO governance is integrated into ongoing risk management and evidence collection processes, organizations strengthen both regulatory defensibility and enterprise credibility, without creating parallel, manual oversight structures. Learn how Drata can help.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. While this article discusses EDPS guidance issued under Regulation (EU) 2018/1725, that guidance applies specifically to EU institutions and does not create binding obligations for private-sector organizations. Organizations should consult qualified counsel regarding their specific DPO obligations under GDPR and applicable national laws.
