Data Protection Officer
The Data Protection Officer
The Data Protection Officer («DPO») is a role introduced by the GDPR and must not be confused with the processor. The controller or the processor designates the Data Protection Officer to have support, advice, training and information to fully respect the requirements of the GDPR. The DPO cooperates with the supervisory authority (and the DPO’s contact details must be communicated to the supervisory authority), is a contact point for data subjects with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR.
The DPO may be a staff member of the controller or the processor or an external person.
The controller and the processor shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
Who is obliged to designate a Data Protection Officer
The designation of a DPO is mandatory:
1. if the processing is carried out by a public authority or body (irrespective of what categories of data are being processed)
2. if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
3. if the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences or related security measures.
Tasks of the Data Protection Officer
The GDPR entrusts the DPO, among others, with the duty to monitor compliance with the GDPR. The GDPR further specifies that the DPO should assist the controller and the processor, provide advice, issue recommendations, and monitor internal compliance with the GDPR. Therefore, the controller or the processor should seek DPO’s advice and support to monitor the respect of the requirements of the GDPR.
In order to do this, the DPO must:
1. collect any information useful to get to know the processing activities carried out and the organisation in which they are performed, so as to identify which are the processing activities and their characteristics
2. analyse and check that processing performed is compliant with the GDPR
3. inform, give advice and guidance or suggest appropriate procedures to comply with the GDPR
4. organise training for persons authorised to data processing
5. undertake to be involved to give recommendations and guidelines for data processing activities since their design
6. be the contact point for the supervisory authority and data subjects.
As far as the Records of processing activities are concerned, it is the controller and the processor, not the DPO, who is required to maintain the Records of processing activities. However, nothing prevents the controller and the processor from assigning the DPO the task of maintaining the Records of processing activities under the responsibility of the controller or the processor. Such Records should be considered as one of the tools enabling the DPO to perform the tasks of monitoring compliance, informing and advising the controller or the processor.
The GDPR provides for a list of tasks that the DPO must have as a minimum. Nothing prevents from assigning the DPO other tasks than those explicitly mentioned, or specifying those tasks in more detail.
Professional qualities of the Data Protection Officer
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks.
The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed.
Therefore, relevant skills and expertise include:
1. expertise in data protection national and international legislation and practices, including an in-depth understanding of the GDPR
2. understanding of the processing operations carried out
3. understanding of information technologies and data security
4. knowledge of the specific business activity and organisation of the controller or the processor
5. ability to offer appropriate recommendations and advice in order to design, control and maintain an organised data protection system, cooperating in the implementation of a set of measures (including data security) and safeguards adequate to the organisation of data processing operations envisaged
6. ability to promote a data protection culture in the organisation, also by organising training.
Appointment and communication to the supervisory authority of the Data Protection Officer
The GDPR recognises the DPO as a key player in the new data protection governance system and provides for conditions for the appointment, position and tasks of the DPO.
The appointment of the DPO must be in writing and determine the tasks, having previously ascertained that the person has the professional qualities and skills required by the GDPR. The appointment can be freely drawn up.
The DPO’s contact details should be communicated to the supervisory authority: in Italy there is a telematic procedure (Italian version) to be used for such obligation (https://servizi.gpdp.it/comunicazione-rpd/). In order to know what data should be communicated and how to fill in the communication, you can get the template in PDF and the instructions (Italian version) made available by the Italian supervisory authority.
The Italian supervisory authority has also made available a template (Italian version) to communicate the DPO’s revocation.