The position of the Data Protection Officer ("DPO") represents one of the main innovations introduced by the European Union’s (EU) General Data Protection Regulation (“GDPR”) in 2018. It represents one of the key roles to ensure adequate governance of company systems for the protection of personal data.
The identification of the DPO relies on his/ her specialist knowledge of personal data protection laws and practices, his/ her professional skills, ability to perform duties, as well as his/ her position of autonomy and independence.
The Data Protection Officer is called to perform, within the realities in which he/ she carries out his activity, an essential role to ensure the correctness and compliance of the processing of personal data - carried out by the aforementioned companies, public or private - with respect to the provisions of Regulation (EU) 2016/679 and, in general, of all the current legislation on the protection of personal data. Private organizations and Public Administration - upon recourse to specific assumptions referred to below – are required to engage a DPO, whose main task is that of informing and providing advice to the owner (or manager) of data processing, as well as to the employees who carry out the treatments. Such an activity is carried out to set up an adequate system for the protection of personal data and to ensure that the data processing complies with regulatory provisions.
The Data Protection Officer is required to monitor compliance with European and national privacy legislation, as well as the internal policies adopted by the owner (or manager) regarding the protection of personal data, including the attributions of roles and responsibilities.
In addition, the Data Protection Officer is given the task of raising awareness among employees who participate in the data processing and related control activities. The DPO provides a professional opinion on the data protection impact assessment and cooperates with the supervisory authority.
Article 37 of the GDPR establishes, among other things, the conditions that make the designation of the DPO mandatory:
The processing of personal data is carried out by a public authority or a public body (without prejudice to courts when exercising their judicial functions);
The main activities of the controller or processor consist of processing operations which, by their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale;
The main activities of the controller or processor consist of the processing, on a large scale, of special categories of personal data or data relating to criminal convictions and offences.
It is envisaged that a business group may appoint a single Data Protection Officer, provided that the same is easily accessible from each establishment. For public authorities or bodies, the legislation provides for the possibility of designating a unique Data Protection Officer for multiple public authorities or public bodies, after careful considerations about their organizational structure and size. The GDPR also provides for the need for the data controller (or manager) to publish the contact details of the Data Protection Officer and to communicate them to the supervisory authority.