​The position of the Data Protection Officer ("DPO") represents one of the main innovations introduced by the European Union’s (EU) General Data Protection Regulation (“GDPR”) in 2018. It represents one of the key roles to ensure adequate governance of company systems for the protection of personal data.

The identification of the DPO relies on his/ her specialist knowledge of personal data protection laws and practices, his/ her professional skills, ability to perform duties, as well as his/ her position of autonomy and independence.

The Data Protection Officer is called to perform, within the realities in which he/ she carries out his activity, an essential role to ensure the correctness and compliance of the processing of personal data - carried out by the aforementioned companies, public or private - with respect to the provisions of Regulation (EU) 2016/679 and, in general, of all the current legislation on the protection of personal data. Private organizations and Public Administration - upon recourse to specific assumptions referred to below – are required to engage a DPO, whose main task is that of informing and providing advice to the owner (or manager) of data processing, as well as to the employees who carry out the treatments. Such an activity is carried out to set up an adequate system for the protection of personal data and to ensure that the data processing complies with regulatory provisions.

The Data Protection Officer is required to monitor compliance with European and national privacy legislation, as well as the internal policies adopted by the owner (or manager) regarding the protection of personal data, including the attributions of roles and responsibilities.

In addition, the Data Protection Officer is given the task of raising awareness among employees who participate in the data processing and related control activities. The DPO provides a professional opinion on the data protection impact assessment and cooperates with the supervisory authority.

Article 37 of the GDPR establishes, among other things, the conditions that make the designation of the DPO mandatory:

  • ​The processing of personal data is carried out by a public authority or a public body (without prejudice to courts when exercising their judicial functions);​​

  • The main activities of the controller or processor consist of processing operations which, by their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale;

  • The main activities of the controller or processor consist of the processing, on a large scale, of special categories of personal data or data relating to criminal convictions and offences.

It is envisaged that a business group may appoint a single Data Protection Officer, provided that the same is easily accessible from each establishment. For public authorities or bodies, the legislation provides for the possibility of designating a unique Data Protection Officer for multiple public authorities or public bodies, after careful considerations about their organizational structure and size. The GDPR also provides for the need for the data controller (or manager) to publish the contact details of the Data Protection Officer and to communicate them to the supervisory authority.

​The DPO is a mandatory figure, upon the occurrence of certain conditions, introduced by the GDPR to inform and provide advice to the owner or manager of data processing, as well as to the employees who perform the processing. It represents an independent control to protect citizens, customers and prospects, employees by ensuring that the processing of personal data takes place in compliance with current privacy legislation

In summary, the DPO is called upon to provide specialist, technical and legal advice to the data controller (or manager) and employees so that they acquire and take into account, in daily operations, all these elements that are necessary to ensure compliance with Regulation (EU) 2016/679 and all current privacy legislation when personal data are collected, processed and stored. It is therefore appropriate that the DPO be involved on every issue concerning the protection of personal data so that appropriate technical and organizational measures are put in place to ensure that the same processing of personal data does not put at risk the rights and freedoms of natural persons. 

In Italy, following the entry into force of the GDPR, about 60,000 Data Protection Officers were identified at the end of 2020. Considering the primary role that the protection of the privacy of data subjects (e.g. customers, prospects, employees) plays within the Unipol Group, a functional adaptation project was launched already before 25 May 2018 to ensure compliance with the GDPR. Such a project has provided, among other things, for the establishment of the DPO who uses, in daily operations, constantly updated and competent collaborators who support him/ her in his/ her tasks. It is envisaged that each interested party can always request clarifications regarding the processing of their personal data, as well as exercise the rights guaranteed by Regulation (EU) 2016/679 by contacting the DPO. The contact details of the DPO are always available on the internal websites of the Unipol Group companies and in the privacy forms issued to the interested parties. 

With regard to UnipolTech, the Company adopts the highest standards of protection (continuously updated) for personal data of third parties, customers, prospects, employees and collaborators. All the necessary measures to guarantee confidentiality and security are implemented from the beginning. UnipolTech's Privacy Policy is available at the following link.​