Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Commercial technology · Data protection & privacy · 1 November 2019 · Marta Dunphy-Moriel · Alex Dittel

Notifying details of the DPO and Brexit

We aim to answer two key questions: Which national regulator should be notified the details of a global company’s DPO if the company has entities… Read more

more content below

We aim to answer two key questions:

  • Which national regulator should be notified the details of a global company’s DPO if the company has entities in a number of EU member states?
  • Will Brexit affect the position?

Appointing a DPO

Under Article 37 of the General Data Protection Regulation (GDPR) companies must appoint a data protection officer (DPO) if certain conditions are met. The Information Commissioner’s Office (ICO) offers a simple questionnaire to determine if a mandatory DPO is required. Even if a DPO is not required, a voluntary appointment of a DPO is possible.

Legal obligation to notify the details of the DPO

A group of companies may appoint a single DPO provided that the DPO is easily accessible from each establishment. According to the Article 29 Working Party’s Guidelines on DPOs adopted on 13 December 2016, “easily accessible” refers to being available internally within the organisation as well as externally to data subjects and supervisory authorities. DPOs must be easily, directly and confidentially contactable.

To ensure that this can be achieved, companies must:

  • Publish the contact details of the DPO, for example, by making the details easily available on the company’s website.
  • Register the fact the company has a DPO with the “relevant” supervisory authorities or the supervisory authorities “concerned” and providing any required contact details.

Which supervisory authority or authorities should be notified?

This depends on the type of processing activity:

  • Cross border processing: Where the company is carrying out “cross-border processing”, the DPO’s details should be notified to the “lead supervisory authority”. However, in some cases notifying the lead authority alone may not suffice.
  • Local processing: If a global company operates in a number of member states, each supervisory authority remains competent to deal with local matters (for example, the processing of employee data) and may have to be notified.
  • Likely to receive a complaint: It is also advisable to register with the local authorities in member states where the data subjects reside who are “substantially affected or likely to be substantially affected” by the company’s processing (for example, the company has a very large number of users in a member state).

In practice it may not be possible to notify each “supervisory authority concerned” because of its broad definition. Therefore, each company will have to determine to the best of its abilities which “relevant” supervisory authorities should be notified.

What are the effects of Brexit?

This depends on the type of processing activity:

  • Cross border processing: Depending on any deal or no-deal situation, the ICO may no longer be a supervisory authority “established by a Member State”. This means that if a global company has notified the DPO’s details to the ICO as its lead authority, following Brexit it will likely have to notify the details to other “relevant” EU supervisory authorities.
  • UK processing: Companies operating in the UK will still need to register with the ICO, in the terms required by the UK Data Protection Act 2018.

Key takeaways

In conclusion, companies should:

  • Include the DPO’s details on the company’s website, ideally, by setting up a separate link or page rather than burying the details in the privacy notice (there is no need to provide the DPO’s name).
  • Carry out an analysis of which supervisory authorities are in scope, register local establishments and notify the relevant supervisory authorities.
  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Marta Dunphy-MorielMarta Dunphy-Moriel

Alex DittelAlex Dittel

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like


    Notice: Undefined variable: show_default in /home/kemplittle/test.kemplittle.com/wp-content/themes/kemplittle/single.php on line 349
  1. The best way to learn from Thomas Cook and safeguard your agency | TTG media
  2. Coding and law: how coding made me a better paralegal
  3. Podcast | DPO Update: ICO on direct marketing, scientific research opinion, CCTV and fines
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Compliants
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • Tech Nation logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon


Notice: Trying to get property of non-object in /home/kemplittle/test.kemplittle.com/wp-content/plugins/contact-form-7-dynamic-text-extension/contact-form-7-dynamic-text-extension.php on line 330

close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select from the areas of interest below.

Themes

Services

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

close
close
Looking for someone?
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn