Q&As

If a multinational company with entities in a number of EU states has registered a data protection officer (DPO) with the Information Commissioner’s Office (ICO), does it need to register a DPO in the other EU states where it has entities or is registration in one country sufficient?

read titleRead full title
Produced in partnership with Alexander Dittel of Kemp Little
Published on LexisPSL on 12.11.2019

The following Risk & Compliance Q&A produced in partnership with Alexander Dittel of Kemp Little provides comprehensive and up to date legal information covering:

  • If a multinational company with entities in a number of EU states has registered a data protection officer (DPO) with the Information Commissioner’s Office (ICO), does it need to register a DPO in the other EU states where it has entities or is registration in one country sufficient?

If a multinational company with entities in a number of EU states has registered a data protection officer (DPO) with the Information Commissioner’s Office (ICO), does it need to register a DPO in the other EU states where it has entities or is registration in one country sufficient?

Under Article 37 of the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR), companies have to appoint a data protection officer (DPO) if certain conditions are met. The Information Commissioner’s Office (ICO) offers a simple questionnaire to determine if a mandatory DPO is required. Even if a DPO is not required, a voluntary appointment of a formal DPO is possible.

A group of companies may appoint a single DPO provided that the DPO is easily accessible from each establishment (Article 37(2) of the GDPR). According to the Article 29 Data Protection Working Party Guidelines on Data Protection Officers (the DPO guidelines), ‘easily accessible’ refers to being available internally within the organisation as well as externally to data subjects and supervisory authorities.

The GDPR requires the details of the DPO to be published and communicated to the ‘supervisory authority’. The DPO guidelines refer to the ‘relevant supervisory authorities’. The objective of these requirements is to ensure that data subjects and supervisory authorities can easily, directly and confidentially reach the DPO without having to contact another part of the organisation.

Related documents:

Popular documents