Q&As

If a multinational company with entities in a number of EU states has registered a data protection officer (DPO) with the Information Commissioner’s Office (ICO), does it need to register a DPO in the other EU states where it has entities or is registration in one country sufficient?

read titleRead full title

Produced in partnership with Alexander Dittel of Wedlake Bell
Published on: 12 November 2019
imgtext

Under Article 37 of the General data protection Regulation, Regulation (EU) 2016/679 (the GDPR), companies have to appoint a data protection officer (DPO) if certain conditions are met. The information commissioner’s Office (ICO) offers a simple questionnaire to determine if a mandatory DPO is required. Even if a DPO is not required, a voluntary appointment of a formal DPO is possible.

A group of companies may appoint a single DPO provided that the DPO is easily accessible from each establishment (Article 37(2) of the GDPR). According to the Article 29 Data Protection Working Party Guidelines on Data Protection Officers (the DPO guidelines), ‘easily accessible’ refers to being available internally within the organisation as well as externally to data subjects and supervisory authorities.

The GDPR requires the details of the DPO

Alexander Dittel
Alexander Dittel

Partner, Wedlake Bell

Alex has over 10 years of experience in data privacy and commercial matters. He joined private practice in 2013. Previously, he worked for a start-up and later for Google, where he developed a deep understanding of what matters to clients most. He spent time on secondments at Amazon and Pfizer.
Ìý
Alex supports clients with specialist advice on matters involving data in technology, transactions and disputes, as well as general data protection compliance and cyber security matters.
Ìý
Alex offers a critical view on the proportionality of data processing in new technologies including AI and automated decision-making with a drive to finding appropriate solutions, expertise in mature legitimate interest assessments and adequate outcomes in data transfer impact assessments. He brings a measured approach to negotiating data protection aspects of transactions.
Ìý
Alex supports clients from the technology sector, fintech, adtech, health, cloud, property, transport, social media and digital trading.

Read moreRead more
Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Key definition:
Data protection definition
What does Data protection mean?

In an employment context, this refers to the obligation on an employer to protect the data of its employees and ensure that it complies with the law on how it uses the employees' data.

Read more

Popular documents

UK GDPR—the basics

UK GDPR—the basicsThis Practice Note explains, in simple terms, the key features of the UK General Data Protection Regulation (UK GDPR). See also Precedent: Data protection quick reference guide.This Practice Note is intended for non-privacy specialists and there are separate, more detailed,

Public statement on data breach

Public statement on data breachStatement by [insert name of organisation] concerning a significant [cyber-attack OR data protection breach] on [insert date].On [date], we were made aware of an incident threatening the security of personal data for which we are responsible. [We OR [insert name of

If a multinational company with entities in a number of EU states has registered a data protection

If a multinational company with entities in a number of EU states has registered a data protection officer (DPO) with the Information Commissioner’s Office (ICO), does it need to register a DPO in the other EU states where it has entities or is registration in one country sufficient?Under Article 37

How do I calculate the time limit for responding to a data subject request?

How do I calculate the time limit for responding to a data subject request?The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data