The EU Regulation no. 2016/679, better known as GDPR, has brought with it many innovations including the introduction of the DPO – Data Protection Officer, i.e. a point of connection between the owner and manager on the one hand and the Supervisory Authority on the other. This is a real professional figure who, in addition to knowing the industry regulations, must also possess managerial qualities and a good knowledge of new technologies. Let’s get some clarity on this role.
The DPO may be an employeeof the data controller or processor or may perform his or her duties on the basis of a service contract and thus be a freelancer. The latter will be difficult to do in the case of public administrations given the chronic lack of funds; much more plausible in this case will be an appointment from among their own internal resources. In contrast, but for other reasons, in the private sector it will be more likely to use an external figure: many companies are very exposed from the point of view of privacy for the activity carried out and consequently for the data processed (for example, companies in the banking sector, health, etc.) and should therefore invest in the field of data protection ensuring the advice of competent professionals with contracts that provide a commitment of at least 4 years renewable.
Let’s try to understand this distinction between employees and freelancers even better by looking specifically at the duties of the DPO.
According to Article 39(1)(b) of the GDPR, the DPO is responsible for overseeing compliance with the Regulation itself. The owner or manager of the processor should be should be “assisted [dal DPO] in monitoring internal compliance with this Regulation”. In doing so, the DPO must deal with the collection of information to identify the treatments carried out, the analysis and verification of treatments in terms of their compliance and the activation of information, advice and guidance to the owner or manager. It should be noted that monitoring compliance with the Regulations does not mean that the DPO is personally liable in the event of non-compliance. In fact, the Regulation specifies that it is the responsibility of the controller “to implement appropriate technical and organizational measures to ensure, and be able to demonstrate, that processing is carried out in compliance with this Regulation” (art. 24, paragraph 1).
Also in Article 39(1) (d) and (e), the DPO must “cooperate with the supervisory authority” and “act as a point of contact for the supervisory authority for matters related to the processing, including prior consultation referred to in Article 36, and carry out, where appropriate, consultations in relation to any other matter”. The guidelines help to understand how these tasks are incumbent on the DPO as a point of contact to facilitate access by the supervisory authority to the documents and information necessary for the performance of the tasks set out or related to the exercise of investigative, corrective, authorizing and consultative powers under Art. 58 of the Regulations.
In the second paragraph, art. 39 states that the DPO must “give due consideration to the risks inherent in the processing, having regard to the nature, scope, context and purposes of the processing”. This is a generic provision based on common sense criteria: the DPO must prioritize his or her work and focus on issues that present the greatest data protection risks.
Article 35 of the Regulation speaks of impact assessment on data protection (DPIA according to the English acronym), an operation borne by the owner of the treatment when the treatment itself may present a high risk for the rights and freedoms of natural persons. The data controller will be required to conduct a data protection impact assessment where necessary. In this context, the DPO plays a role in assisting the owner. To stay on the topic of DPIA, Art. 39 entrusts the DPO with the task of “providing, if requested, an opinion on the data protection impact assessment and overseeing its conduct”. For the avoidance of doubt, it is specified that the Data Controller shall consult with the DPO on the following issues: whether or not to conduct a DPIA; what methodology to adopt in conducting a DPIA; whether to conduct the DPIA with internal resources or to outsource it; what safeguards to apply to mitigate risks to the rights and interests of data subjects; whether or not the DPIA has been properly conducted; and whether or not the conclusions reached comply with the Regulation.
Article 30 of the Regulation provides that each data controller and its representative, if any, must keep a register of the processing activities carried out under its responsibility – a similar provision also applies to the data controller. A principal or manager must then “maintain a register of processing activities carried out under their responsibility” that is “a register of all categories of processing carried out on behalf of a controller”. This is therefore not a task for the DPO, although in reality it is often the DPOs themselves who carry out the inventory of processing and keep their own register based on information provided by the various offices that process personal data. This is an aspect of the Regulation that is not very clear, given that the first paragraph of art. 39 describes a non-exhaustive list of tasks entrusted to the DPO. This register should be considered as one of the tools that allow the DPO to fulfill its obligations to monitor compliance with the regulation, inform and advise the owner or manager.
Sara Avanzi