Processing under the authority of the controller or the processor (persons authorised to data processing)
Persons authorised to data processing: how to identify them and what requirements shall be met
Any person acting under the authority of the controller or the processor, who has access to personal data, shall not process those data, except on instructions from the controller or the processor. These persons shall carry out data processing according to their tasks. The persons authorised to data processing must have committed themselves to confidentiality or must be under an appropriate statutory obligation of confidentiality.
The GDPR makes no provisions how to appoint these persons.
The Italian Data Protection Code, as amended to introduce more specific provisions to adapt the application of the rules of the GDPR, provides that the controller or the processor may decide autonomously and under their own responsibility (meeting the principle of accountability) the best procedure to identify and give instructions to the persons authorised to data processing. A good recommended practice is to give written instructions, with rules which request confidentiality and application of documented procedures decided by the controller or the processor to respect the GDPR requirements (e.g.: data protection policies).
This role can be assigned only to a natural person and anyone, regardless of the purposes of processing and the category of data, who carries out processing, must be appointed as a person authorised to data processing.