Do the DPO's contact details need to be easily accessible?
Do the DPO's contact details need to be easily accessible to data subjects? How should they be published on the controller’s website?
The purpose of the controller's obligation to publish the name and e-mail address or telephone number of the data protection officer on its website is to ensure that data subjects can easily and directly contact the DPO without having to contact other business units within the organisation [Article 29 Working Party’s Guidelines on Data Protection Officers (WP 243), p. 13].
If the controller operates its own website, the details of the designated DPO should be in an easily accessible place on the website, such as under: "Contact", "Data Protection Officer", "GDPR" or "Personal Data Protection". On the other hand, it should be considered inappropriate to publish these data in places that require a long search, such as "News" or "Privacy Policy".
Under the GDPR, one of the tasks of the DPO is to act as a contact point, or intermediary, between the controller or processor and data subjects. The EU legislator, in Article 38(4) of the GDPR, has empowered data subjects to contact the DPO on all matters related to the processing of their personal data and the exercise of their rights under the GDPR. This role of the DPO is strongly linked to the duties of the controller and processor set forth in Articles 12-22 of the GDPR, and is intended to contribute to their more effective execution.
As an example, there is a personal data breach that may cause a high risk to the rights and freedoms od natural persons. In such a case, the importance of the rights of natural persons and the role of the DPO is highlighted in a special way. As should be inferred from Article 34(2) of the GDPR, in cases of such personal data breaches, affected individuals should be able to contact the DPO or other contact point to obtain additional information beyond that provided to them in the data breach notification.