Can different enterprises not forming part of the same group designate a single DPO?

Article 37(2) of the GDPR expressly provides for the possibility for controllers forming a group of undertakings, e.g. a capital group, to appoint a single data protection officer, provided that the DPO is easily accessible from each establishment. The group of undertakings is defined in the provisions of the Regulation as a controlling undertaking and the undertakings controlled by it.

The European legislator, in Article 37(2) of the GDPR, has adopted a model of, so to speak, 'joint designation of the DPO' by a group of undertakings, due to the interconnectedness of these undertakings, common internal regulations, similar rules and ways of dealing with personal data.

Each of the undertakings, by designating the same person as their DPO, will have the possibility to comply at the same time not only with the condition indicated in this provision (ease of contacting the DPO), but also with all other requirements set out in the law as regards DPOs. Very importantly, in such a situation it will be possible, for example, to reasonably and jointly define rules for ensuring that such DPO has sufficient time to fulfil his or her duties, to help create a plan for his or her work and, if necessary, to support his or her functioning with a team of relevant specialists. The DPO serving a group of similarly functioning entities has the opportunity to gain a sound understanding of their functioning and the rules applicable to them. For the above reasons, the solution adopted in Article 37(2) seems rational and justified, and it can be assumed that groups of undertakings will want to use it.

However, the regulation adopted in this provision does not mean that it is not permissible for several data controllers to designate one person outside the indicated case, i.e. outside the group of undertakings. Indeed, the provisions of the GDPR do not contain a prohibition in this respect. Whenever such a solution is used, it is an absolute condition that this person is able to genuinely fulfil his or her duties towards each organisation he or she serves and in a manner fully compliant with the law and the needs of the specific controller (see also the answer to the question "Can public entities designate a single DPO outside the situation regulated by Art. 37(2) of the GDPR?").