The Group DPO

GDPR Article 37(2) permits a single Data Protection Officer to serve multiple undertakings within a corporate group or association. This page explores the Group DPO architecture, governance challenges, cross-border considerations, and CPLP expansion dynamics.

Article 37(2) GDPR: Single DPO for Multiple Undertakings

GDPR Article 37(2) explicitly permits organisations to appoint a single DPO to serve multiple undertakings, provided the DPO is "easily accessible" to each organisation. This provision reflects the practical reality that large groups, multinational enterprises, and public sector clusters benefit from centralised data protection governance whilst maintaining operational flexibility within each entity.

The term "undertaking" is deliberately broad, encompassing legal entities with independent data processing responsibilities. A parent company and its subsidiaries, a holding company and its portfolio companies, or a public authority and its associated agencies all qualify as separate undertakings capable of sharing a single DPO.

Practical accessibility is the critical requirement. The DPO must be reachable by each undertaking within reasonable timeframes, with clear escalation procedures, documented service-level agreements, and sufficient capacity to address each entity's DPO obligations. Geographic proximity, time zone alignment, and language capability factor into accessibility assessments.

Lead Supervisory Authority and One-Stop-Shop Mechanism

When a Group DPO serves undertakings across multiple EU jurisdictions, the concept of the "lead supervisory authority" (Article 56 GDPR) becomes operationally significant. The lead authority is the supervisory authority of the undertaking's main establishment—typically the EU location where the group maintains its central administration or primary decision-making centre.

Under the one-stop-shop mechanism, the lead authority coordinates with other affected supervisory authorities regarding data protection matters affecting multiple jurisdictions. For a Group DPO serving undertakings in Portugal, Spain, and Poland, the lead authority would typically be the CNPD (if Portugal is the main establishment), and the Portuguese DPO would coordinate breach notifications, DPIAs, and enforcement actions across the group.

Strategic Implication: A centralised Group DPO reduces regulatory fragmentation and streamlines communications with multiple supervisory authorities. The Group DPO serves as a single point of coordination, translating group policies into jurisdiction-specific compliance measures and managing relationships with each affected authority.

Structuring the Group DPO Role

Effective Group DPO governance requires deliberate structural design. The Group DPO function typically comprises three integrated components:

Central Coordination

The Group DPO (or DPO team) maintains centralised responsibility for: policy development, cross-group standards, training and guidance, vendor management, breach response protocols, and supervisory authority relationships. The central DPO establishes group-wide templates for Data Protection Impact Assessments, processing documentation, and incident response. This ensures consistent governance and reduces duplication across undertakings.

Central coordination is particularly valuable for groups operating in regulated sectors (finance, healthcare) where baseline compliance standards must be uniform, or multinational groups processing data at scale across jurisdictions.

Local Support Networks

Each undertaking within the group maintains local data protection contacts—typically compliance officers, legal counsel, or operational managers—who interface with the Group DPO. These local contacts understand operational reality, can escalate urgent matters, and assist in implementing group-wide policies within their jurisdiction. Local contacts facilitate accessibility; the Group DPO is not personally present in every location, but coordination mechanisms ensure responsiveness.

Local support is essential when undertakings face jurisdiction-specific requirements (Lei 58/2019 in Portugal, GDPR implementation in Spain, data localisation rules in specific sectors). The local contact bridges global policy and regional requirement nuances.

Reporting Lines and Escalation

Clear reporting lines are critical. The Group DPO typically reports to the group's General Counsel, Chief Compliance Officer, or Chief Risk Officer—a senior position independent from operations and data processing. Each undertaking's local contact reports to the relevant undertaking's leadership, with escalation procedures connecting local issues to the Group DPO and ultimately to group-level governance.

Escalation procedures must specify: which matters require Group DPO involvement (policy exceptions, significant breaches, supervisory authority interactions), response timeframes, and documentation requirements. A well-designed escalation framework prevents local delays in breach reporting or supervisory authority cooperation.

Challenges: Language Barriers, Local Nuances, and Cross-Border Operations

Group DPOs face distinctive challenges compared to single-entity DPOs:

Language Barriers

A Group DPO serving undertakings across multiple countries must navigate multiple languages. Official communications with supervisory authorities, legal documentation, and incident response may require translation. More subtly, language differences affect how data protection concepts are understood and implemented. A "processor agreement" has different legal implications in Portuguese and Hungarian law; a Group DPO must ensure each undertaking understands its obligations within local legal frameworks.

Organisations address language barriers through: hiring multilingual DPO staff, engaging local language consultants for critical communications, or establishing written guidance translated into each undertaking's working language. Language investment is not optional; inadequate translation has triggered CNPD warnings and contributed to breach notification failures.

Local Nuances and Regulatory Variation

Although GDPR is directly applicable across all EU member states, supervisory authorities interpret requirements differently. The CNPD's enforcement priorities may differ from Spain's Autoridad de Protección de Datos. Data Protection Impact Assessment thresholds, processing activity notification requirements, and international data transfer safeguards vary subtly across jurisdictions. A Group DPO must maintain expertise in each undertaking's home jurisdiction, or engage local specialists to ensure compliance tailored to local expectations.

This challenge intensifies when the group operates beyond the EU (e.g., in Brazil under LGPD, discussed below). The Group DPO must understand not just GDPR, but complementary or divergent frameworks in each jurisdiction where the group processes data.

Cross-Border Breach Notification

When a security incident affects data subjects across multiple jurisdictions, the Group DPO orchestrates coordinated breach notifications to affected supervisory authorities within 72 hours. This is logistically complex: assessing which authorities must be notified, determining if the breach presents "high risk" (triggering mandatory data subject notification), translating breach notifications into multiple languages, and managing follow-up investigations by multiple authorities simultaneously.

A Group DPO managing multinational breach response must: establish pre-incident protocols specifying notification procedures, maintain translated notification templates, engage legal counsel in each jurisdiction to assess notification requirements, and coordinate with group's information security leadership to investigate cross-border impacts. Delays or inconsistencies undermine supervisory authority confidence and expose the group to enforcement action.

Risk Scenario: A Group DPO learns of a data breach affecting undertakings in Portugal, Spain, Poland, and the UK. The Portuguese undertaking notifies the CNPD; the Spanish undertaking notifies AEPD. If notifications differ in substance or timeline, supervisory authorities may perceive inconsistency as evidence of inadequate governance. The Group DPO must ensure all notifications accurately reflect the breach, acknowledge the same root cause analysis, and present unified incident response actions across all affected jurisdictions.

CPLP Dimension: Brazil (LGPD), Angola, Mozambique, Cape Verde

Portuguese-speaking countries and Portugal's historical relationships create unique opportunities (and complexities) for Group DPO structures. Several CPLP (Comunidade dos Países de Língua Portuguesa) member states have enacted or are developing data protection frameworks:

Brazil: LGPD (Lei Geral de Proteção de Dados)

Brazil's Lei Geral de Proteção de Dados, effective September 2020, establishes data protection obligations broadly analogous to GDPR. LGPD requires organisations to appoint a Data Protection Officer (Encarregado de Proteção de Dados) in similar circumstances to GDPR mandatory designation. Key differences from GDPR include:

  • Consent model: LGPD relies more heavily on consent as a lawfulness basis compared to GDPR's balanced approach
  • International transfers: LGPD permits transfers to countries with "adequate" protection, similar to GDPR, but Brazil's Autoridade Nacional de Proteção de Dados (ANPD) has been more restrictive on adequacy determinations
  • Enforcement: LGPD fines are substantial (up to 2% of global revenue, capped at approximately USD 40 million per infringement) but ANPD enforcement remains less mature than European supervisory authorities

Portuguese groups with Brazilian operations increasingly structure a combined DPO framework, with the Group DPO maintaining dual GDPR and LGPD expertise, or engaging Brazilian DPO specialists to manage LGPD compliance. This creates synergies: similar governance structures, shared breach response protocols, and efficiency in training on comparable frameworks. However, LGPD and GDPR divergences require careful calibration—a processor agreement valid under GDPR may not meet LGPD transfer requirements without adjustment.

Angola, Mozambique, Cape Verde

Angola, Mozambique, and Cape Verde are less developed on data protection governance. These countries often lack dedicated data protection authorities or comprehensive data protection laws modeled explicitly on GDPR. However, Portuguese undertakings operating in these countries must remain alert to emerging frameworks and regional trends. The African Union's Digital Transformation Strategy and ECOWAS data protection initiatives may eventually establish minimum standards.

For now, Portuguese groups operating in Angola, Mozambique, or Cape Verde typically apply GDPR standards as a baseline governance framework, even absent explicit legal requirement. This demonstrates good governance and manages reputational risk. A Group DPO may not formally designate separate DPOs in these jurisdictions, but should maintain awareness of emerging requirements and engage local counsel to monitor legal developments.

Best Practices for Group DPO Governance

1. Clear DPO Mandate and Reporting

Document the Group DPO's responsibilities across each undertaking through a formal mandate. Specify which DPO functions are centralised (policy development, vendor management) versus decentralised (local incident response, local training). Establish reporting lines clearly: the Group DPO reports to an appropriately senior leader (General Counsel, Chief Compliance Officer), independent from business operations.

2. Local Accessibility Mechanisms

Implement mechanisms ensuring the Group DPO is accessible to each undertaking. This may include: designated local contacts in each jurisdiction, response time commitments (e.g., policy questions answered within 48 hours), regular in-person or video meetings with undertaking leadership, and documented escalation procedures. Accessibility enhances both compliance and undertaking confidence.

3. Jurisdiction-Specific Guidance

Maintain jurisdiction-specific guidance documents translating group policy into each undertaking's legal requirements. For example, group vendor management policy should include specific contract clauses required under GDPR (EU undertakings), LGPD (Brazil), and relevant local frameworks (Portugal). This prevents local misunderstanding and ensures uniform standards adapted to local requirements.

4. Multilingual Capabilities

Invest in language capability through staff multilingual competence or translation resources. Critical communications—supervisory authority notifications, data subject communications, policy guidance—should be available in each undertaking's working language. Budget for professional translation of complex legal documents to avoid misinterpretation.

5. Dual-Framework Expertise (GDPR + LGPD for Groups with Brazil Operations)

Groups operating in both Europe and Brazil should develop expertise spanning GDPR and LGPD. This may involve: DPO team members with LGPD certification, engagement with Brazilian data protection specialists, cross-training on framework differences, and documentation of how group policies accommodate both frameworks. Investment in dual-framework capability differentiates high-performing groups from those struggling with fragmented compliance.

6. Incident Response Coordination

Establish pre-incident protocols specifying how the Group DPO coordinates breach response across multiple jurisdictions. Include: decision tree for determining which supervisory authorities must be notified, translated templates for breach notifications, escalation procedures connecting incident response teams to the DPO, and roles for Group DPO in multi-jurisdictional investigation coordination. Test these protocols through tabletop exercises to identify gaps before an actual breach occurs.

Implementation Example: A multinational group with undertakings in Portugal, Spain, Poland, and Brazil establishes a Group DPO team comprising: (1) a Lead DPO with GDPR and LGPD expertise based in Lisbon; (2) local DPO specialists in Spain, Poland, and São Paulo reporting to the Lead DPO; (3) documented local accessibility commitments (weekly video calls with each jurisdiction, response to urgent questions within 24 hours); (4) jurisdiction-specific guidance documents in Portuguese, Spanish, Polish, and Portuguese-Brazilian; and (5) pre-incident protocols specifying that the Lead DPO coordinates breach response with all affected supervisory authorities, including CNPD (Portugal), AEPD (Spain), UODO (Poland), and ANPD (Brazil).

Conclusion

The Group DPO function is increasingly important for multinational enterprises, large corporate groups, and public sector clusters. Structuring a Group DPO arrangement requires careful attention to accessibility, local expertise, escalation procedures, and jurisdiction-specific compliance requirements. For Portuguese groups, particularly those with CPLP operations, strategic investment in Group DPO governance offers competitive advantage, reduced regulatory fragmentation, and enhanced capacity to manage cross-border data protection challenges. Success demands technical competence, organisational clarity, and commitment to genuine accessibility across all undertakings served.