The General Data Protection Regulation (GDPR) in article 37.2 mentions the possibility of appointing a Data Protection Officer (DPO) for a business group, provided that the DPO is accessible from each establishment. This article has led to the conclusion that by appointing a DPO for the group the obligation is met. However, it is relevant to ask, before which data protection authority should the DPO of the company group be registered, and if so, is this obligation fulfilled by the appointment of the DPO to the supervisory authority of the head office in Europe?
In view of the above question, in regards to the appointment of the DPO before the respective Data Protection Authorities by corporate groups; the most logical interpretation of this article leads us to think that the appointment of the DPO to the DPA of the group’s headquarters, fulfills the obligation. Even more so if we take into account the obligations of cooperation and mutual assistance between the different authorities within recital 123 and article 61 of the GDPR.
Recent Cases on the Appointment of the DPO
However, the analysis of two recent cases, one by the Hamburg DPA in November 2019 mentioned in their report beginning 2020, and more recently, the Spanish Data Protection Authority (Agencia Española de Protection de Datos); may lead us to a different conclusion. One in which it is necessary to register the DPO with the corresponding DPA in each country where the company group is located.
In the German case, the Hamburg authority imposed a fine on Facebook GmbH for 51,000 euros. The Hamburg DPA considered that a violation of the obligations of Article 37.7 of the GDPR had occurred, by not communicating the appointment of the DPO to the competent authority, despite having appointed a DPO for the group before the Irish authority. The sanction on Facebook indicates a warning by the authority to companies that the duty to notify the authorities of the DPO’s appointment cannot be waived and may result in sanctions.
The Spanish DPA in June 2020 issued Resolution No. PS/00417/2019 in which it imposed a penalty of 25,000 euros on GLOVOAPP23, S.L. (Glovo) for having failed to appoint the DPO before the Spanish authority. The company in this case was obliged to appoint a DPO in accordance with Article 37.1 GDPR. Consequently, since it was obliged to appoint a DPO, it was also required to notify the Spanish DPA according to Article 34.2 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD). As a result, the Spanish DPA sanctioned Glovo for failing to comply with the obligations to appoint a DPO in accordance with article 37.1 lit. b) of the GDPR, since its main activity consisted of regular and systematic monitoring of data subjects at a large-scale, and it is therefore called upon to comply with the duty to notify the Spanish DPA within article 34 of the LOPDGDD.
Concerning the appointment of the DPO, Glovo argued that there was a Data Protection Committee in place, which had been performing the tasks of the DPO in accordance with the obligations of Article 39 of the GDPR thus guaranteeing the rights of data subjects. Another of Glovo’s arguments was that the DPO had been appointed on the 23 May 2019 but was not notified to the Spanish DPA until February 2020. Article 34.2 of the LOPDGDD mentions that once the DPO has been appointed, despite if the appointment is obligatory or voluntarily, the data controller has 10 days to notify the Spanish DPA. Therefore, the obligation of appointing a DPO had not been fulfilled.
Designation of the DPO to the Data Protection Authorities
Considering the above examples, we can begin to distinguish a pattern, where the different European DPAs have twice required that in addition to the appointment of the DPO, they also should be notified before them. Although there is still no clarity as to how to comply with the obligation to appoint a DPO for a group of companies in accordance with article 37.2 of the GDPR, this might have shed some light on the matter. The interpretation of the authorities in accordance with the two previous cases seems to suggest, that within article 37.7 of the GDPR the appointment the DPO should be notified to the respective DPAs in all locations of the company group.
In addition, the local Spanish data protection regulation, in article 34.3, requires that the designation of the DPO before the Spanish DPA has to be carried out within a term of 10 days following their appointment. Other data protection authorities, such as the Information Commissioners Office (ICO) in the United Kingdom, also suggest that in the event of voluntary appointment of the DPO, they should comply with the same requirements as if the appointment were obligatory, and should therefore be notified to the ICO.
Based on the above analysis and given that that there is no pronouncement to the contrary by the authorities, we consider it preferable to proceed to notify the appointment of the DPO both for the group, and voluntary appointments, before the competent DPAs in each country in order to avoid a possible sanction.