Persons authorised to data processing
In the case of a processor, shall the appointment be an obligation of the controller or of the processor?
The GDPR clarifies that the person authorised to data processing acts under the authority of the controller or the processor. As regards the instructions to be given to the processor, the GDPR expressly mentions the obligation of the processor to ensure that the persons authorised to process data commit themselves to confidentiality. Therefore, it is an obligation of the processor to identify and appoint the persons authorised to data processing.
How can a person authorised to data processing be appointed?
The GDPR makes no provision for this case. The amended Italian Data Protection Code allows the controller and the processor to choose the most appropriate procedure. It is recommended that their appointment should be in writing and contain instructions on tasks and obligations in order to comply with the principles of the GDPR. Needless to say that an internal policy and training are good practices to consider.