Does the controller have to provide the name of the DPO on the website?
Is it mandatory to publish the first and last name of the DPO on the controller’s website? From what legal provisions does this obligation arise?
It is mandatory to provide the first and last name of the data protection officer on the website of the entity that designated him or her. This obligation follows directly from the law.
According to Article 37(7) of the GDPR, the controller or processor shall publish the contact details of the data protection officer. The manner in which this obligation is implemented is further clarified in Article 11 of the the Act of 10 May 2018 on the Protection of Personal Data. This provision indicates that an entity which has designated an officer shall provide the officer’s first and last name and the electronic mail address or phone number immediately after the officer is designated on its website, and if it does not run its own website, in a commonly available manner at the place of business.
At the same time, it should be recalled that the entity which designated the DPO should ensure that the DPO's contact information is easily accessible to data subjects. For more on this topic, see the answer to the question: do the DPO's contact details need to be easily accessible?