Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR.
While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available step-by-step guidelines, or even full-fledged electronic notification tools in which organizations are asked to complete and provide (often) detailed information going beyond the GDPR-prescribed DPO “contact details”.
Depending on company structure and setup, an organization may decide to appoint several DPOs instead of one (arguably if no overlap), may choose to locate its DPO outside of the EU, and may even decide to outsource the task of a DPO to an external contractor. It is these types of information the Supervisory Authorities’ notification forms and tools try to obtain. Examples of DPO notification forms and requirements recently introduced in a number of EU jurisdictions are listed below:
- Belgium: online form accessible here.
- France: online form accessible here.
- Ireland: online form accessible here.
- Italy: online form accessible here.
- Netherlands: online form accessible here.
- Poland: instructions accessible here (no form is made available).
- Spain: online form accessible here (registration is required).
- Slovakia: instructions accessible here (no form is made available).
- Sweden: online form accessible here.
- UK: online form accessible here.
Organizations should also be mindful that some Supervisory Authorities have set deadlines to complete notification. The Netherlands and Poland are two of the more prominent examples, with deadlines set between June and September 2018. Most other authorities have not explicitly set deadlines, but often indicate that DPO appointment is a requirement that should have been complied with by May 25. Organizations may therefore want to track their DPO notification progress and work on completing notifications in relevant jurisdictions.
* * *
Alston & Bird and its Brussels-based EU Privacy Team is closely following DPA action and privacy litigation in the EU Member States. For more information, contact Jan Dhont, Jim Harvey or David Keating.