Background Information

Starting from 25 May 2018, all data controllers who satisfy the requirements of Art. 37 of the EU General Data Protection Regulation (“GDPR”) will have to appoint a Data Protection Officer (“DPO”).

On 15 September 2017, the Italian Data Protection Authority (“Garante”) clarified that companies and public entities shall appoint the DPO on the basis of verified competencies and specific experiences. Accordingly, certificates or subscriptions to professional bodies are not mandatory for the appointment of the DPO.

Main issues

In the case at stake, the Italian Garante sent a note to an Italian hospital clarifying that a DPO shall need to have specific and deep knowledge of data protection regulations and proceedings. In its note, the Garante suggested that the selection of a suitable DPO shall be based on professional competences acquired through real and specific experience. Certificates from masters and/or courses may be considered as an added value in order to prove the level of knowledge of the subject, if specified by the certification, but shall not be deemed mandatory. Moreover, they are not equivalent to a formal qualification, in consideration of the fact that the setting up of a professional body for DPOs is not envisaged by the current regulations.

In case of hospitals or any other entity legally providing health care, the selection of the DPO shall require the verification of even more specific experience. The processing of personal data, as identified in Art. 9 GDPR, indeed requires the assessment of in-depth competences in order to provide a high level of commitment.

Therefore, the main requirement to be verified in order to select the DPO is the real ability to perform the required duties.

Practical implications

In order to comply with these indications, before the appointment of a DPO, companies and public entities shall:

  • evaluate only Curriculum Vitae providing evidence of experiences on Data Protection law;
  • consider certificates of masters or courses indicating the level of knowledge of the subject, only as a useful instrument for the evaluation, that under no circumstances is equivalent to specific competences and experiences;
  • in case of processing of special categories of personal data, such as data concerning health or genetic data (Art. 9 GDPR), select only the candidate that possesses a higher specialization in consideration of the processing operations;
  • pursuant to the principle of accountability (Art. 30 GDPR) companies and public entities shall autonomously evaluate whether the candidate has the requirements needed in order to be appointed as DPO and to perform such tasks.