On March 26th 2018, the Italian Data Protection Authority (hereinafter, the “Garante”) published the new “frequently asked questions” (“FAQs”) related to the Data Protection Officer (DPO) in the private sphere.
The FAQs are a useful tool that can serve as a more specific guidance, in addition to the Article 29 Working Party (“WP29”) Opinion on DPOs (Guidelines on Data Protection Officers), to further clarify the DPO role in the private sector.
- What are the tasks of a DPO?
According to Art. 37 of the EU General Data Protection Regulation (“GDPR”), the DPO is designated by the controller or the processor and has support and monitoring tasks, advisory, training and information functions, as well as having the task to cooperate with the Garante, for which the DPO represents the contact point on issues regarding the processing of personal data. For this purpose the name of the DPO shall be submitted to the Garante by means of a communication form.
- What qualifications does a DPO employed in the private sector need?
Likewise as in the FAQ related to the DPO in the public sphere, the Garante states that, due to the non-regulated nature of the profession, no specific certificates or membership are required for carrying out DPO functions. Nonetheless, the DPO needs to have a detailed knowledge of legislations and practices in the field, as well as on the administrative rules and procedures of the specific sector, in order to be able to advise the controller or processor with regards to the planning, monitoring and maintenance of a personal data management system.
Moreover, the DPO needs to operate independently and autonomously from the management, and must have sufficient resources in terms of funds and facilities for carrying out his tasks.
- What private entities are required to designate a DPO?
Under Art. 37(1) (b) and (c) GDPR, the controller and the processor are required to designate a DPO in any case where the core activities:
- consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
By way of example, the Garante sets out a non-exhaustive list of such businesses, which comprises credit institutions, assurance companies, credit reference agencies, financial corporations, companies operating in the fields of commercial information, accountancy firms, debt recovery agencies, security firms, parties and political movements, tax assistance centres, businesses operating in the utilities sector (e.g. Telecommunications, electricity and gas supply services), job centres, companies operating in the health care sector such as private hospitals, spa, medical analysis laboratories, rehabilitation centres, call centres, companies providing IT services and pay-tv companies.
- What entities are not required to designate a DPO?
Entities that do not process data within the meaning of Art. 37(1) (b) and (c) are not required to designate a DPO. Such entities are, for instance, self-employed individuals, agents, representatives and mediators not operating on a large scale, individual or family businesses,
SMEs with regards to the processing of personal data related to the day-to-day administration of the relationships with suppliers and employees.
Nonetheless, the Garante recommends, in light of the accountability principle, that also these entities should designate a DPO.
- Is a group of undertakings allowed to appoint a single DPO?
On the basis of the second paragraph of Art. 37 GDPR a group of undertakings may well appoint a single DPO, provided that he or she is easily accessible from each establishment. In this regard the WP29 guidelines state that this condition is met whenever the DPO is established within the European Union. Moreover, the Garante also adds that the DPO has to be able to efficiently communicate with the data subjects and to cooperate with the Supervisory Authority.
- Is it allowed to appoint a so called external DPO and which formal deed is required?
In accordance with the GDPR, the controller or the processor are allowed to appoint the DPO functions to external subjects different from staff members, provided that the effective performance of the task is guaranteed.
Whereas the so-called internal DPO is appointed by means of a specific act of designation, the external DPO operates on the basis of a service contract. Both acts of designation shall be set down in writing and clearly state the allocated tasks and the resources assigned for their completion, as well as any other relevant information with regards to the specific situation.
Finally, attention is drawn to the fact that a controller or processor, even after having designated a DPO, remains responsible for ensuring and being able to demonstrate that processing is performed in accordance with GDPR (principle of accountability).
Moreover, the Garante stresses that the controller or processor are required to disclose the contact details of the DPO, while the publication of the name is optional, but strongly recommended. By contrast, the submission of both information to the Supervisory Authority remains mandatory.
- Is the position of DPO compatible with other tasks and duties?
The Garante specifies that only with regards to the top management (e.g. chief executive officer, member of the management board, managing director) there is an accompanying risk of conflict of interests. This further comprises positions which involve decision-making power as to the purposes and the methods of the processing of personal data (i.e. head of human resources, marketing, finance or IT department). It still has to be clarified whether or not the position is compatible with the role of staff manager.
- May the DPO also be a legal person?
The Garante makes clear that whereas undertakings that appoint the DPO role to a staff member (internal DPO) are required to designate a natural person, that can be eventually supported by a back office, the role of external DPO may well be assigned to a legal person. However, the Garante highly recommends to clearly allocate the tasks, identifying a single natural person that will act as a contact point for the data subjects and for the Supervisory Authority.
Practical actions /implications
In order to comply with these indications, the controller or processor shall:
- Check whether the particular type of processing falls within the scope of the DPO designation obligation;
- Designate an internal/external DPO by means of a formal deed, which clearly sets out the tasks and resources assigned;
- Submit the DPO’s contact details and name to the Garante by means of the communication form provided for by the Garante;
- Publicly disclose the contact details of the DPO;
- Provide the DPO with facilities as well as with financial and human resources that are necessary for carrying out the assigned tasks.