Notifying details of the DPO and Brexit

We aim to answer two key questions:

• Which national regulator should be notified the details of a global company’s DPO if the company has entities in a number of EU member states?
• Will Brexit affect the position?

Appointing a DPO

Under Article 37 of the General Data Protection Regulation (GDPR) companies must appoint a data protection officer (DPO) if certain conditions are met. The Information Commissioner’s Office (ICO) offers a simple questionnaire to determine if a mandatory DPO is required. Even if a DPO is not required, a voluntary appointment of a DPO is possible.

Legal obligation to notify the details of the DPO

A group of companies may appoint a single DPO provided that the DPO is easily accessible from each establishment. According to the Article 29 Working Party’s Guidelines on DPOs adopted on 13 December 2016, “easily accessible” refers to being available internally within the organisation as well as externally to data subjects and supervisory authorities. DPOs must be easily, directly and confidentially contactable.

To ensure that this can be achieved, companies must:

• Publish the contact details of the DPO, for example, by making the details easily available on the company’s website.
• Register the fact the company has a DPO with the “relevant” supervisory authorities or the supervisory authorities “concerned” and providing any required contact details.

Which supervisory authority or authorities should be notified?

This depends on the type of processing activity:

• Cross border processing: Where the company is carrying out “cross-border processing”, the DPO’s details should be notified to the “lead supervisory authority”. However, in some cases notifying the lead authority alone may not suffice.
• Local processing: If a global company operates in a number of member states, each supervisory authority remains competent to deal with local matters (for example, the processing of employee data) and may have to be notified.
• Likely to receive a complaint: It is also advisable to register with the local authorities in member states where the data subjects reside who are “substantially affected or likely to be substantially affected” by the company’s processing (for example, the company has a very large number of users in a member state).

In practice it may not be possible to notify each “supervisory authority concerned” because of its broad definition. Therefore, each company will have to determine to the best of its abilities which “relevant” supervisory authorities should be notified.

What are the effects of Brexit?

This depends on the type of processing activity:

• Cross border processing: Depending on any deal or no-deal situation, the ICO may no longer be a supervisory authority “established by a Member State”. This means that if a global company has notified the DPO’s details to the ICO as its lead authority, following Brexit it will likely have to notify the details to other “relevant” EU supervisory authorities.
• UK processing: Companies operating in the UK will still need to register with the ICO, in the terms required by the UK Data Protection Act 2018.

Key takeaways

In conclusion, companies should:

• Include the DPO’s details on the company’s website, ideally, by setting up a separate link or page rather than burying the details in the privacy notice (there is no need to provide the DPO’s name).
• Carry out an analysis of which supervisory authorities are in scope, register local establishments and notify the relevant supervisory authorities.

Alex Dittel and Marta Dunphy-Moriel