Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Section 2.3 Designation of a single DPO for several organisations

Article 37(2) allows a group of undertakings to designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects, the supervisory authority but also internally within the organisation, considering that one of the tasks of the DPO is ‘to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation’.

In order to ensure that the DPO, whether internal or external,is accessible it is important to make sure that their contact details are available in accordance with the requirements of the GDPR.

He or she, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This also means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO. According to Article 37(3), a single DPO may be designated for several public authorities or bodies, taking account of their organisational structure and size.The same considerations with regard to resources and communication apply. Given that the DPO is in charge of a variety of tasks, the controller or the processor must ensure that a single DPO, with the help of a team if necessary, can perform these efficiently despite being designated for several public authorities and bodies.