Can Shared Services Centres (SSCs) appoint one Data Protection Officer (DPO) for all serviced units?
Shared Services Centres (SSCs) are established as separate entities, most often dealing with auxiliary activities, performed for both executive and legislative bodies of local government, as well as for the service of various organisational units, including offices, institutions, and budgetary units among others. The final decision on the establishment of a local government shared service centre, its shape and scope of tasks performed by it, is made by the decision making body of a given local government unit.
SSCs are not the data controllers for data provided by the serviced units. They may process data to the extent and for the purpose necessary to perform tasks within the shared service of these units (in accordance with Art. 10d of the Act of March 8, 1990, on Poviat Self Government, Art. 6d of the Act of June 5, 1998, on county self-government, and Art. 8f of the Act of June 5, 1998, on Voivodeship Government). Depending on different possible solutions used by specific local governments, the SSC may, however, be the data controller, for example, of its employees' data.
Under the General Data Protection Regulation, the obligation to appoint a data protection officer in the public sector will apply to all public bodies and entities (Article 9 of the Act on the Personal Data), both those who are data controllers and data processors.
However, even in a situation where this would be an employee of one of these units, for example an employee of the Shared Services Centre, it is necessary for each of these units, e.g., each school, each cultural centre, to separately appoint a DPO, as separate data controllers. Therefore, even if the Shared Services Centre, provides services related to broadly understood personal data protection to the entities serviced, it is not authorized to appoint a data protection officer in these entities. The obligation to appoint a data protection officer cannot be transferred, for example by resolution or agreement, to another organizational unit, for example to the Shared Services Centre.
Each of the entities obliged to appoint a data protection officer (regardless of whether it will be the same person or different persons) will also be obliged - in accordance with Art. 37(7) GDPR - to publish the contact details of the officer and communicate them to the supervisory authority. Just like the obligation to appoint an officer, the obligation to communicate the contact details also applies to each local government unit referred to in Art. 37(1) (a) GDPR.