New EDPS Decision Strengthens Protection of Data Protection Officers in EU Institutions

At the beginning of 2026, EDPS adopted Decision 01/2026, establishing detailed rules on the requirement of prior consent before dismissing a DPO in EU institutions and bodies.

At first glance, this may seem like a procedural clarification. In reality, it is a very strong signal about the independence, accountability, and structural role of the DPO function within public institutions.

Photo: Freepik 

The Decision makes one principle absolutely clear:

➡️ A DPO cannot be dismissed simply because their advice is inconvenient.

Under Regulation (EU) 2018/1725, a DPO may be dismissed only if they no longer fulfil the conditions required to perform their duties, and only with prior consent from the EDPS.

The EDPS now defines in detail:

➡️ What constitutes “dismissal”

➡️ What documentation must be submitted

➡️ How the right to be heard must be ensured

➡️ What conditions the EDPS will assess

➡️ What corrective measures apply if institutions bypass the consent requirement

This creates a predictable and transparent framework designed to protect the DPO from retaliation or indirect penalisation.

Although this Decision directly applies to EU institutions, agencies and bodies under EDPS supervision, the implications go much further. The DPO is a structurally protected function whose independence must be safeguarded.

Too often in practice, I still see:

➡️ DPOs reporting to operational management without safeguards

➡️ Combined roles that create real conflicts of interest

➡️ Budget or time restrictions that effectively weaken independence

➡️ Attempts to “reshape” the DPO function when advice becomes uncomfortable

The GDPR already requires that the DPO must act independently and must not receive instructions regarding the exercise of their tasks. This Decision shows what real institutional protection of that principle looks like.

Link

Author: Sebastian Burgemejster