Article 37 of the GDPR indicates that any controller or processor shall appoint a Data Protection Officer (DPO) in the following situations:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 GDPR or personal data relating to criminal convictions and offences referred to in Article 10 GDPR.
In addition to the above, the different EU Member States may expand the situations in which a DPO must be mandatorily appointed, as is the case in Germany or Spain.
In any other case, it is also possible to appoint a DPO on a voluntary basis.
The GDPR allows the same DPO to be appointed for an entire group of companies (Article 37.2 GDPR).
When do we have to notify the DPO to the supervisory authority?
When we talk about registering or notifying the DPO, this means communicating the contact details of the DPO to the data protection supervisory authority. This is a requirement under Article 37.7 GDPR, that establishes that any controller or processor shall publish the contact details of the DPO and communicate them to the supervisory authority.
Article 37.7 GDPR however does not differentiate between mandatory and voluntary appointments of DPOs for this notification, so any appointment of a DPO, either on a voluntary or mandatory basis, must be communicated to the data protection authority.
Please note that in certain countries, as it is the case in Spain and Poland, there is a deadline to notify the DPO to the authority (for example, 10 days from appointment in Spain, 14 days from appointment in Poland).
Where do we need to notify the DPO?
This is a particularly problematic question for international organisations that have a presence and/or provide services in several EU countries, and may find it difficult to determine to which local data protection supervisory authorities they should notify the DPO. Unfortunately, both the GDPR and existing guidelines from authorities on the role of the DPO are not helpful as they do not answer this question directly, so we have to come to a conclusion based on the interpretation of various Articles of the GDPR.
To answer this question, your organisation may want to seek specific legal advice. In my personal view, it is necessary to perform an assessment on which EU Member States data protection legislation would apply to your organisation according to the territorial scope criteria of Article 3 GDPR, which takes into consideration the below elements:
- Having an establishment in the Member State;
- Offering good and services to individuals in the Member State;
- Monitoring the behaviour of individuals in the Member State.
In all those EU countries where the “territoriality test” is positive, you should consider notifying the DPO. The main reason is that your organisation may be subject to a local supervisory authority when (i) it is established in that Member State, or (ii) individuals residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by your processing activities (see Article 4(22) GDPR). This is likely to happen in countries where the “territoriality test” described above is positive, so it seems a good approach to notify the DPO in all these countries to avoid any risks.
In case your company has a main establishment in the EU, it could benefit from the One Stop Shop mechanism and only notify the DPO to the lead supervisory authority (meaning the supervisory authority of the territory where this main EU establishment is located). However, in line with the guidance of some EU authorities, in this case it may be necessary to notify the DPO also to the supervisory authorities of other Member States as long as the appointment of the DPO is mandatory as a result of the activities of the controller or processor in those countries.
How to notify the DPO?
This varies from country to country. Each supervisory authority has implemented its own mechanism for this. In some countries they are happy just with an email from the controller/processor indicating the contact details of the DPO. In most other countries the authorities have implemented online forms for this purpose.
Please note that some supervisory authorities will require proof of the appointment of the DPO (like an appointment letter or board resolution). In some countries, such as Spain or Poland, a digital certificate is required to access the notification form, or they may require a power of attorney to ensure that the person submitting the notification has the power to act on behalf of the controller/processor, like in my experience happens in Poland, Italy or Czech Republic.
The information on how to proceed with the notification is available on the websites of the supervisory authorities, where you will be able to find how the process looks like in each territory. Please see a list of all the supervisory authorities (including links to their respective websites) here: https://edpb.europa.eu/about-edpb/about-edpb/members_en
Do we have to notify the DPO in the United Kingdom after Brexit?
Since the UK definitively separated from the European Union after Brexit, the EU GDPR no longer applies to the UK. However, for the time being, the main laws applicable in the UK are the UK GDPR (which is essentially similar to the EU GDPR) and the UK Data Protection Act 2018. According to these laws, it is necessary to appoint a DPO in the same cases explained at the beginning of this article. In addition, any appointment of a DPO, whether mandatory or voluntary, must be notified to the UK data protection authority, which is the Information Commissioner’s Office (ICO).
You can notify the DPO to the ICO here: https://ico.org.uk/for-organisations/data-protection-fee/your-data-protection-officer-is/
Note: Please bear in mind that at the moment of writing this article (December 2022) the UK is in the process of updating its data protection legislation, so the DPO may disappear in the UK in the near future and be replaced by a different role (yet to be confirmed).