How many entities can one DPO serve at most?
Neither the provisions of the GDPR, nor their interpretations issued for example by the Article 29 Working Group in the form of guidelines, provide an answer to such a question. However, the use of this solution may only occur in justified cases, and the number of entities served must be within reasonable limits. The assessment of this issue depends on many factors, including, among others: effective availability of the inspector, the possibility for him/her to gain detailed knowledge about the functioning of the entity, having an adequate amount of time for the scope of tasks and the specifics of data processing operations, the need to avoid conflicts of interest, and the size and organisational unit being a data controller. Therefore, a concrete answer to the above question can only be given in the context of specific situations. Nevertheless, like any decision related to adopted solutions in the field of personal data protection, also the decision regarding the choice of an appropriate person to perform the function of the DPO, must be made with full awareness of the responsibility incumbent on the data controller for proper compliance with legal provisions.