Can a Single Data Protection Officer be appointed to a different organization?

There is no bar to appoint a single DPO for a group of undertakings and it completely depends upon the mutual understanding of organisations, provided the DPO is easily accessible from each establishment. In cases where the controller or the processor is a public body then in such scenarios also a single DPO may be designated for all such authorities although the deciding factors must be organisation structure and size. 

It is not to be misunderstood when one refers to Internal DPO and External DPO. Internal DPOs are the employees of the organization and who are usually present within office premises whereas external DPOs, as per Article (6) of GDPR, are:

  • Retained via services contract; or 
  • A self-employed individual is hired; or
  • The task is shared between/among the undertakings; or 
  • An employee of some other company as well (for e.g. law firms, or similar kinds of firms which provide such services).

Who can be a Data Protection Officer?

It is often misunderstood that a DPO must be a lawyer but it must be understood that, as per the regulation, there are no such requirements, rather the provisions focus more on their skills and expertise. For better understanding, the DPO must have expertise in and knowledge of –

  1. Data protection law and practices;
  2. Performing the tasks regularly undertaken by a DPO; and
  3. A DPO may be a staff member of controller or processor; or 
  4. An individual fulfilling the task based on a service contract. 

Point (b) and (c) to be noted and marked since there is a common misconception that staff members cannot be appointed as a DPO or under a service contract as per the GDPR regulations.

Publication of contact details of the appointed DPO

Once the appointment of DPO is made, the controller and processor must publish the contact details of the Data Protection Officer on their website or wherever possible. The intention behind this is to notify the general public in case of any grievance that needs to be redressed. The contact details of the DPO shall also be communicated to the supervisory authority which is the data protection authority (DPA). DPAs are independent public authorities assigned to supervise and investigate the breach of GDPR.  

Picture Credit- https://gdprinformer.com