DPO: THE ACRONYM THAT REVOLUTIONIZES
From now there is also a legal person as the supervisor of the digital change
The Council of Ministers of March 21st, 2018 approved, as a preliminary point, the Legislative Decree which will lead to the harmonization of Italian legislation with respect to the provisions of EU Regulation 2016/679 on privacy. The Guarantor has therefore released the FAQ and appointing model for the Head of Data Protection RPD (DPO).
In view of the coming into effect of the new EU Regulation 2016/679 on the protection of personal data, scheduled for May 25th 2018, and the consequent repeal of the legislative decree of June 30th, 2003, n. 196, the government through Council of Ministers of March 21st, 2018 approved, in preliminary examination, a legislative decree that, in implementation of art. 13 of the European delegation law October 25th, 2017, n. 163, introduces provisions for the adaptation of national legislation to the provisions of the European Regulation concerning the protection of individuals with regards to the processing of personal data, as well as the free movement of such data.
For this occasion, on March 26th, 2018, eight FAQs were published on the privacy guarantor’s website on the role of the Data Protection Officer (DPO) in the private sector.
From the new FAQs, we take into consideration the n. 6 and the n. 8 on the new organizational aspects related to the DPO function:
6. Must the person responsible for the protection of personal data be an internal subject or can this person also be an external subject? What are the methods for engagement?
The role of Person in charge of the protection of personal data (DPO) can be held by an employee, owner or processor (not in conflict of interest) who knows the operational reality in which the treatments take place; the assignment can also be entrusted to external parties, on the condition that they guarantee the actual fulfilment of the tasks that the Regulation (EU) 2016/679 assigns to this figure.
The DPO will be appointed by means of a specific designation deed, while the one chosen externally, must have the same prerogatives and safeguards as an internal one, and will have to operate based on a service contract. These documents, to be drafted in writing, must expressly indicate the assigned tasks, the resources assigned for their execution, as well as any other useful information in relation to the context of reference.
In carrying out its duties, the DPO (internal or external) must receive adequate support in terms of financial, infrastructural and, where appropriate, personnel resources. The controller or data processor who has appointed a Data Protection Officer remains fully responsible for complying with data protection legislation and must be able to demonstrate it.
The contact details of the designated DPO must then be published by the data controller or data processor. It is not necessary – even if it could be a good practice – to also publish the name of the person in charge of data protection: it is up to the data controller, processor or the DPO to assess whether, depending on the specific circumstances, it may be useful or necessary information.
Instead, the name of the Data Protection Officer and the related contact data must be communicated to the Control Authority.
To this end, at present, it is possible to use the model referred to in the following link: http://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/7322292
8. Is the person responsible for the protection of personal data a physical person or can it also be a different figure?
The (EU) Regulation 2016/679 expressly provides that the person responsible for the protection of personal data (DPO) may be an “employee” of the data controller or data processor (Article 37, paragraph 6 of the Rules); obviously, in the medium and large organizational realities, the DPO, to be identified in any case in a physical person, can also be supported by a special office equipped with the necessary skills for the performance of their duties.
If the DPO is identified in an external party, the latter may also be a legal person.
In any case, it is recommended to proceed with a clear division of responsibilities, identifying only one natural person able to act as a point of contact with the data subjects and the Supervisory Authority.
Therefore, if the DPO is identified in an external entity, the latter may also be a legal person (e.g. corporations), and in this case, as already indicated in the Group Guidelines Article 29 published in April 2017, with reference to the more general criterion of “organization”, which is known not only for legal entities but also for similar bodies, there must be a clear division of responsibilities, identifying only one natural person who will represent the point of contact with the office of the Guarantor itself and who will perform this function on behalf of the client.
By Benedetta Fantauzzi, OmnitechIT Legal Security & GRC Consultant