On December 15th 2017, the Italian Data Protection Authority (called the “Garante”) published the new “frequently asked questions” (FAQs) related to the Data Protection Officer (DPO) in the public sphere.
The main aim of FAQs is to respond to the major questions and concerns that arose during the meetings held in June 2017, between the Italian Public Administrations and the Garante.
This document is a useful tool that can serve as a more specific guidance, in addition to the Article 29 Working Party (“WP29”) Opinion on DPOs (Guidelines on Data Protection Officers), to further clarify the DPO role in Italian Public Administrations.
> What entities are required to designate a DPO?
The Garante, according to Art. 37 (1) (a) of the General Data Protection Regulation (“GDPR”), states that all public authorities and bodies have to designate a DPO, except for courts acting in their judicial capacity. However, the GDPR does not define what constitutes a ‘public authority or body’ and, according to the WP29, such a notion shall be determined under national law.
As a consequence, the public authorities and bodies obliged to designate a DPO shall be those enumerated in Articles 18-22 of the Italian Data Protection Code, such as: State administrations, national, regional or local non-economic bodies, regional or local Authorities, Universities, Chambers of Commerce, Industry, Crafts and Agricultural bodies, National Health Service entities, Independent Authorities etc.
Furthermore, the Garante strongly recommends the designation of a DPO to private entities exercising public functions, although they are not mandatory.
> What qualifications must a DPO employed in a Public Authority have?
In conformity with Art. 38(3) of the GDPR, the two essential features are:
- performance of his or her duties in an independent manner;
- direct reportingto the highest management level.
This suggests that it would be more appropriate to give the DPO role to a manager or an official of high professionalism.
> Does the DPO have to have qualification certificates?
The Garante clarifies that the DPO can still be considered as one of the “unregulated professions”. Meaning that any certificate, while representing a valid instrument to verify a minimum level of knowledge, is not equivalent to a “license” for the performance of DPO functions.
Therefore, the ultimate evaluation of the DPO’s requirements is up to the Public Administration.
> Which formal deed is required to designate a DPO?
The Garante states that in case of:
- Internal DPO: a specific act of designation is necessary to formalize the role of DPO;
- External DPO: the designation deed will be an integral part of the service contract.
In both cases, the designation deed should specify the DPO’s identity, functions, tasks and duties, as well as the reasons for appointing the specific person to the role of DPO. For this purpose, the model of designation act provided by the Garante could be used.
The Public Administration’s DPO must be communicated to the Garante; this communication can be through the model of communication that the Italian Authority provided.
> Does the internal DPO require the establishment of a special office?
Following Art. 38(2) of the GDPR the controller and processor shall support the data protection officer in performing the tasks referred to in Art. 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. For this reason, given the size and structure of the organization, it may be necessary to set up a DPO team. In such cases, the natural person who takes the role of DPO must be identified (through the designation act).
> Can controllers or processors appoint more than one DPO?
The Garante clarifies that the uniqueness of the DPO is fundamental in order to avoid overlapping responsibilities, in both cases of internal and external DPOs.
> What are the additional tasks and functions that can be assigned to a DPO?
In accordance with the GDPR, the organization must ensure that any such tasks and duties do not result in a conflict of interest with proper data protection functions.
The Garante specifies that in the public sphere, conflicting positions within the organization may include senior management positions such as the IT Manager (who determines the necessary security measures) or the Statistics Manager (who defines the characteristics of the processing operations for statistics purposes).
When a DPO is shared between numerous Public entities or is an external service provider, the Garante recommends being cautious since it could lead to conflicts of interest. In such cases, the DPO should give guarantees to ensure efficiency, accuracy and absence of possible conflicts of interest.
In order to comply with these indications, before appointing a DPO, public entities shall:
- evaluate the Curriculum providing evidence of experiences on Data Protection law and consider masters or certificates of courses indicating the level of knowledge of the subject only as a useful instrument for the evaluation, which under no circumstances is equivalent to specific competences and experiences;
- designate the selected DPO with a specific designation deed that specifiesthe DPO’s identity, functions, tasks and duties;
- designate a DPO that does not have any conflict of interest;
- evaluate if it is necessary to set up a DPO team/office.