On 26 March 2018 the Italian Data Protection Authority published in its website new FAQs regarding the Data Protection Officer (DPO) in the private sector.
It also published the form to be used for reporting the details of the Data Protection Officer that have to be communicated to the Authority.
1. Who is the data protection officer (DPO) and what are his duties?
The role of data protection officer (“DPO”) is established in Article 37 of Regulation (EU) 2016/679.
The DPO is a person designated by the data controller or data processor to perform support and monitoring duties and provide advice, training and information concerning the application of Regulation (EU) 2016/679. The DPO cooperates with the Authority (and it is for that reason that his name has to be communicated to the Data Protection Authority: cf. FAQ 6) and is the point of contact, also for data subjects, with regard to all issues related to the processing of personal data (Articles 38 and 39 of the Regulation).
2. What qualifications must a data protection officer possess?
The data protection officer, who is not required to possess specific formal qualifications or be enrolled in any particular professional registers, must:
- have expert knowledge of data protection law and practices and of the administrative rules and procedures peculiar to the specific field of operations;
- be able to provide the degree of professional expertise required by the complexity of the task to be performed, the advice needed to plan, audit and maintain an organized data-handling system and support the data controller/processor in putting in place a series of measures (including safety measures) and guarantees in line with the context in which it is required to work;
- act totally independently and autonomously, without receiving instructions, and report directly to the highest management level of the data controller or processor;
- lastly, be able to dispose of the resources (staff, premises, equipment, etc.) needed to carry out his tasks.
3. For which private sector undertakings is the designation of a data protection officer compulsory?
Data controllers and processors comprised among those contemplated in Article 37.1, §§ b) and c), of Regulation (EU) 2016/679 are obliged to designate a data protection officer.
They are entities whose core activities (especially their core business activities) consist in processing operations that require regular and systematic monitoring of data subjects on a large scale or in processing special categories of personal data and data relating to criminal convictions and offences on a large scale.
Union or Member State law may provide for other cases in which the designation of a data protection officer is compulsory (Article 37.4).
Based on those premises, the entities obliged to designate a DPO include, but are not restricted to: banks, insurance companies, credit reference agencies; finance companies; business information companies; auditing firms; credit collection agencies; security firms; political parties and political movements; trade unions; tax advice centres and citizens advice bureaux; companies operating in the utilities (telecommunications, electricity and gas) sector; employment agencies and staff recruitment companies; companies operating in the healthcare and disease prevention/diagnosis sector, such as private hospitals, thermal spa treatment centres, medical testing laboratories and rehabilitation clinics; call-centre companies; IT services companies; pay-TV companies.
4. Which entities are not obliged to designate a data protection officer?
In cases other than those provided for in Article 37.1, §§ b) and c), of Regulation (EU) 2016/679, the designation of a data protection officer is not compulsory (for example, when data are processed individually by someone who is self-employed; when agents, representatives and brokers carry out processing operations that are not large scale; when one-man or family firms and small and medium-sized enterprises process data in connection with the ongoing handling of their relations with suppliers and employees: see also recital 97 of the Regulation with regard to the definition of “ancillary” activities).
In any event, the designation of a DPO is still recommended, also in light of the principle of accountability that permeates the Regulation, in which case the person to be appointed must possess the qualifications stated above.
5. Can a group of undertakings appoint a single data protection officer?
Regulation (EU) 2016/679 provides that a group of undertakings (cf. the definition contained in Article 4.19) may appoint a single data protection officer, provided that the DPO is easily accessible from each establishment. The DPO must also be able to communicate effectively with the parties concerned and cooperate with the supervisory authorities.
6. Does the data protection officer have to be an existing employee or can the role be contracted out? What are the modalities of their appointment?
The role of data protection officer may be held by someone employed by the data controller or processor (as long as it does not lead to a conflict of interests) who knows the operating conditions under which data is processed; it may also be contracted out to an external individual or organization, provided that they can assure due performance of the duties that Regulation (EU) 2016/679 assigns to that role.
When an existing employee is assigned the role of data protection officer, he must be so designated by specific formal appointment, whereas an externally sourced DPO, who must be given the same privileges and level of job protection as an internally appointed one, has to work under a service contract. The relevant agreements, that have to be drawn up in writing, must clearly state the tasks assigned to the DPO, the resources allocated to such end and all other information useful in view of the circumstances.
The (internal or external) data protection officer must be given adequate support in the fulfilment of his tasks in terms of financial and infrastructural resources and, where appropriate, staff. A data controller or processor that designates a data protection officer continues to be fully liable for compliance with data protection legislation and must be able to prove it.
The controller or processor must lastly publish their designated data protection officer’s contact details. It is not necessary - even though it could be a good practice - to also publish the data protection officer’s name: it is up to the controller or processor and the data protection officer himself to decide whether, in view of the specific circumstances, such information may be useful or necessary.
The data protection officer’s name and contact details must, however, be communicated to the Data Protection Authority. To that end it is currently possible to use the form available at the following link: http://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/7322292
7. Is the role of data protection officer compatible with other positions?
Yes, provided that it does not entail a conflict of interests. From that perspective it would be preferable to avoid assigning the role of data protection officer to people holding positions at top management level (managing director, member of the board of directors, general manager, etc.) or heading departments having decision-making powers as to the purposes and the modalities of data processing operations (human resources, marketing, finance, IT, etc.). Where there is no conflict of interests and depending on the specific circumstances, the possibility of assigning the role to staff support department managers (for example, the head of the legal department) is to be taken into consideration.
8. Does the data protection officer have to be a natural person or could the role be covered by a different party?
Regulation (EU) 2016/679 expressly provides that the data protection officer may be a “staff-member” of the data controller or processor (Article 37.6 of the Regulation); quite clearly, in medium and large-sized organizations the data protection officer, who must in any case be a natural person, may also be supported by a specific department employing the staff required for the fulfilment of his duties.
When the role of data protection officer is contracted out, it may also be held by a corporate entity.
It is recommended that in any case there should be a clear allocation of responsibilities, involving the identification of just one natural person qualified to act as the point of contact for data subjects and the Data Protection Authority.