Article 37(2) allows a group of undertakings to designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects, the supervisory authority but also internally within the organisation, considering that one of the tasks of the DPO is ‘to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation’.
In order to ensure that the DPO, whether internal or external, is accessible it is important to ensure that their contact details are available in accordance with the requirements of the GDPR.
He or she must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This also means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned.
According to Article 37(3), a single DPO may be designated for several public authorities or bodies, taking account of their organisational structure and size. The same considerations with regard to resources and communication apply. Given that the DPO is responsible for a variety of tasks, the controller must ensure that a single DPO can perform these efficiently despite being responsible for several public authorities and bodies.
The personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.
The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (Article 38(5)). However, the obligation of secrecy/confidentiality does not prohibit the DPO from contacting and seeking advice from the supervisory authority.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018