Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Section 2.6. Publication and communication of the DPO’s contact details

Article 37(7) of the GDPR requires the controller or the processor:

  • to publish the contact details ofthe DPOand

  • to communicate the contact details of the DPO to the relevant supervisory authorities.

The objective of these requirements is to ensure that data subjects (both inside and outside of the organisation) and the supervisory authorities can easily and directly contact the DPO without having to contact another part of the organisation. Confidentiality is equally important: for example, employees may be reluctant to complain to the DPO if the confidentiality of their communications is not guaranteed.

The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (Article 38(5)).

The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach theDPO in an easy way (a postal address, a dedicated telephone number, and/or a dedicated e-mail address). When appropriate, for purposes of communications with the public, other means of communications could also be provided, for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation’s website.

Article 37(7) does not require that the published contact details should include the name of the DPO. Whilst it may be a good practice to do so, it is for the controller or the processor and the DPO to decide whether this is necessary or helpful in the particular circumstances.

However, communication of the name of the DPO to the supervisory authority is essential in order for the DPO to serve as contact point between the organisation and the supervisory authority (Article 39(1)(e).

As a matter of good practice, the WP29 also recommends that an organisation informs its employees of the name and contact details of the DPO. For example, the name and contact details of the DPO could be published internally on organisation’s intranet, internal telephone directory, and organisational charts.

User Avatar
Richard V

You may also like

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.3  Risks to free flow of personal data within the Union 44. Where the objection will refer to this particular risk, the CSA will need to clarify why it …

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.2  Risks to fundamental rights and freedoms of data subjects 39. The issue at stake concerns the impact the draft decision as a whole would have on the data …

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.1  Meaning of “significance of the risks” 35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting …