Can public entities designate a single DPO outside the situation regulated by Article 37(3)

Pursuant to Article 37(3) of the GDPR, a single DPO may be designate - taking account of their organisational structure and size - by several data controllers who are public entities, e.g. public educational institutions, museums. Such entities, e.g. due to carrying out public tasks in the same area, may adopt similar organisational arrangements and use the same procedures.

The provisions of the GDPR do not explicitly prohibit the designation by several public entities of the same person as a data protection officer, except for the situation indicated in Article 37(3). The use of such a solution requires a careful analysis whether the designated person will be able to properly fulfil all his/her duties towards each controller.

At the same time, it is important to be aware that many of the duties of the DPOs provided for in the GDPR require an ongoing commitment to the controller that appointed the DPO and the so-called "effective availability" of the DPO to persons within the organisation. The tasks of the DPO include, for example, ongoing monitoring of the compliance of the processing of personal data with the law and providing information and advice on the obligations resulting from this law. Especially in the first years of application of the new legislation, DPOs will play an important role in fostering a 'data protection culture' and help to understand and implement all elements of the EU Regulation, many of which are new to our legal system.

It will also be difficult to perform the tasks of contact point for data subjects and contact point for supervisory authority in parallel in many entities. Under the Regulation, any person has the right to contact the data controller designated for an organisation with regard to any issue concerning his/her data. The supervisory authority, on the other hand, will be able to require the DPO's willingness to co-operate in connection with the performance of the authority's tasks and powers with regard to conducted proceedings, as well as so-called 'prior consultation'.

Any person acting as a DPO must avoid conflicts of interest. The requirement not to cause a conflict of interest is closely linked to the requirement to perform tasks in an independent manner. Thus, there are very specific legal requirements related to the function of DPO and these requirements will have to be conscientiously adhered to.