Designation of the DPO

The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection; hereinafter: IC) has received your request for issuing an opinion concerning the designation of the Data Protection Officer (hereinafter: DPO).

Based on the information you have provided us, below, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and the repeal Directive 95/46/EC (hereinafter: General Data Protection Regulation or GDPR), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, 177/20, hereinafter: ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter: ZInfP), we provide our non-binding opinion regarding your question.

The IC believes that the provisions of the GDPR and of the WP29 Guidelines on Data Protection Officers indicate the possibility of designation of only one DPO.

E x p l a n a t i o n:

First of all, the IC would like to clearly express that it is not competent to interpret Serbian national legislation and cannot comment on its provisions.

As stated in your request for an opinion, the GDPR stipulates in Article 3/2(a) that it applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.

The IC generally explains that the GDPR and also the WP29 Guidelines on Data Protection Officers (hereinafter: Guidelines) only use the DPO in a singular sense. For instance, the Guidelines state that “He or she, with the help of a team, if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned”. Furthermore, the GDPR states in Article 37/2 that a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

The IC further explains that in order to ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, it cannot be excluded that, in some situations where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU.

The IC believes that all the mentioned provisions indicate the possibility of designation of only one DPO.

On the other hand, the IC emphasizes that the designation of the DPO is an obligation of the controller (or processor). According to the GDPR and the Guidelines, each controller or processor can designate a DPO for all the processing carried out by the controller or the processor. Therefore, the IC wishes to express its general stand that if a company would have different legal entities with each one responsible for its own processing activities, or a group having different companies per country, each one could have its own DPO. According to the information in your request for an opinion, this condition is probably not met in your specific case.

Finally, the IC would like to emphasize that the final judgment regarding the appointment and position of the DPO is the domain of each controller or processor and that the IC has no powers in the process of appointing this person according to the GDPR, and in this regard it cannot and may not draw any conclusions.

Kind regards,

Matej Sironič,                                                   

Personal Data Protection Advisor

Mojca Prelesnik

Information Commissioner of the Republic of Slovenia