According to relevant Article 37(6), the DPO may be:
- internal DPO - a staff member of the controller or the processor or
- external DPO - a proffesional 'fulfiling the tasks on the basis of a service contract'.
If the DPO is external, all the requirements of Articles 37 to 39 apply to such a DPO. As stated in the Guidelines, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. In this case, it is essential that each member of the external organisation exercising the functions of a DPO fulfils all relevant requirements of the GDPR.
For the sake of legal clarity and good organisation, the Guidelines recommend to have, in the service contract, a clear allocation of tasks within the external DPO team and to assign a single individual as a lead contact and 'person in charge' of the client.
Contact us for custom-made proposal for your organization.