Can two DPOs be employed in the same organizational unit, and can a DPO have a deputy?

ANSWER

Under Article 11a of the Polish Personal Data Protection Act, a Data Protection Officer may designate a person to deputise for the DPO or may have an appointed data protection team. Appointing a DPO deputy or even an entire team to ensure continuity of operations is a very good and welcome solution, particularly in the event of the DPO's longer absence.

However, a data controller may have only one DPO. There cannot be two DPOs within a single entity. The Data Protection Officer may be employed by the data controller on a half-time or full-time basis — this decision rests solely with the data controller. The same principle applies to the DPO's deputy.

Nevertheless, the scope of tasks, competences, and responsibilities should differ for the DPO and the deputy. Therefore, the agreements concluded with the DPO and with the DPO's deputy should clearly distinguish these two roles. Under Article 11a(3) of the Polish Personal Data Protection Act, the President of the Personal Data Protection Office (UODO) must be notified of the designation of a DPO deputy.