One of the
innovations of the GDPR for corporations, corporate groups and groups of
undertakings is the introduction of a so-called group data protection officer.
This is regulated in Art. 37 II GDPR which states:
"A group of companies may appoint a joint data protection officer provided that the data protection officer can be easily reached from any location."
Since the
transfer of personal data within a group of companies is part of its everyday
operations, a common data protection officer can provide relief by creating
consistent data protection rules and concepts and acting as a single point of contact
for the entire group. The concept of a group of undertakings is defined in Art.
4 No. 19 GDPR as a group of companies in which there is a ruling company and
dependent companies.
As another
requirement, the standard mentions easy accessibility of the group data
protection officer meaning that all employees, but also the local supervisory
authorities and those affected can easily reach him and communicate. Especially
within global enterprises that have subsidiaries and branches in many different
countries, the different languages can be a significant communication
barrier. However, no-one can be expected to speak, in addition to the required
data protection qualification, every language of every branch in each country.
Here is the recourse to a common language, especially English a possible
solution. Additionally, data protection coordinators in each individual company
can act as a link between the local regulatory authorities and the group data privacy
officer.
However, it
is often difficult to find a suitable and qualified person who has both the
necessary (international) qualifications and is familiar with the way in which
companies operate. Thus, an external group data protection officer can present
an adequate solution.
What are the tasks of a group data protection officer?
In
principle, the tasks which a group data protection officer must fulfill are
based on the same requirements as any other data protection officer, which is
standardized in Art. 39 GDPR. Namely:
- to
advise and inform the responsible persons regarding the implementation of the
GDPR in the group - to
enable compliance with the GDPR and foster a data protection culture within the
organization - to
maintain policies and procedures on data protection - the
monitoring of the provisions of the GDPR within the group, which also includes
sensitizing employees with regard to the basic data protection requirements and
requirements, as well as their training - the
group data protection officer advises on the privacy impact assessment - support
data incident responses and notification procedures for data breaches - he
or she works with the regulators and is their first point of contact
An external
group data protection officer usually has experience with various groups of
companies and has been involved with various data protection challenges, so
that he can quickly adapt a solution for another group.
Two challenges for a group data protection officer
The
difference to a data protection officer, who is only responsible for a single
company, is the complexity of the (international) data flows of personal data
and the organizational structure of the group. For example, it often happens
that there is no single contact person in a group who has an overall view of a
particular process, which may be relevant when drawing up the list of
processing activities.
Another
challenge is that although the GDPR is uniform throughout the EU, there are
national specifications and differences in the individual member states of the
EU that need to be taken into account. For this purpose, consulting
professionals with local legal expertise for individual issues may be a
possible solution.
Nevertheless,
the designation of a group data protection officer can be a considerable relief
for the group. Important for this is the development of a suitable data
protection organization within the group, the support on the part of the
company management and sufficient financial and personnel resources for the
group data protection officer. Especially an external data protection officer
can be a pragmatic, professional and timely solution, which is often cheaper
than setting up your own data protection department within the group.