Can the role of the DPO also be performed by a person from outside the controller’s/processor’s...
Can the role of the DPO also be performed by a person from outside the controller’s/processor’s organisation?
Pursuant to Article 37(6) of the GDPR, a data protection officer can be both a staff member of the controller or processor, as well as a non-employee. Thus, it will still be possible to perform the position of a data protection officer in the outsourcing model, on the basis of a service contract. It should be emphasized, however, that a person performing the position of DPO on the basis of a service contract must meet all the requirements of the GDPR, e.g. the requirements for avoiding conflicts of interest, guarantees of independence, ease of contact, proper and timely involvement of the DPO in all issues which relate to protection of personal data.
It should be emphasized that it will be required for each controller/processor to notify the supervisory authority about the designation of a specific person, and as per Article 10(1) of the Act of 10 May 2018 on the Protection of Personal Data, to provide the following information, i.e.: first and last name and the electronic mail address or phone number of the officer.