EDPS strengthens DPO role: new guidance and binding rules to protect DPO independence across EU institutions

Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the European Data Protection Supervisor (EDPS) has adopted two key documents clarifying the role and protection of DPOs within EUIs.

On 18 December 2025, the EDPS issued a Supervisory Guidance on the role of DPOs in EUIs. The Guidance clarifies the EDPS’s interpretation of the DPO’s role, position and tasks in EUIs. It provides practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. 

Building on this Guidance, the EDPS adopted Decision 01/2026 on 16 January 2026, establishing binding Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs.  These Rules set out a clear and uniform procedural framework that EUIs must follow when seeking the EDPS’s prior consent before dismissing a DPO prior to the end of their designation term. 

Taken together, the Guidance and the Rules clarify both the EDPS’s expectations and the applicable procedural requirements. They apply immediately and should be reflected, as appropriate, in the internal practices and decision‑making of all EUIs concerning the position and protection of DPOs.

Wojciech Wiewiórowski, Supervisor, said: “Since 2002, DPOs have been a cornerstone of effective data protection governance within EUIs. The updated Guidance and Rules on Consent for DPO Dismissal aim to strengthen their role by ensuring the independent, consistent and effective application of EU data protection law. These measures reinforce the DPO’s position as a critical internal safeguard for the protection of personal data.”