21 Sep 2020

Who is the Data Protection Officer?

The Data Protection Officer (DPO) is a professional figure introduced by the General Data Protection Regulation 2016/679 | GDPR adopted on April 27, 2016 and directly applicable in all European Member States starting from May 25, 2018.

The DPO is a professional, who can be both internal and external to the Company, knowledgeable about legal, IT, process analysis and risk management skills. Its main function is to supervise, evaluate and organize the management of the processing of personal data within a company so that they are treated in compliance with current privacy regulations.

The GDPR introduces the principle of accountability translated as “accountability”; personal data protection is the responsibility of the Companies, which must guarantee safety from possible intrusions into their IT systems (“data breach”).

The DPO is an independent figure within a company who is in charge of collaborating with the top management and operates in all company levels to prevent potential risks. Its introduction marks the beginning of a control system a posteriori and no longer a priori.

When should a DPO be appointed?

The Data Protection Regulation, which entered into force on April 27, 2016 and applied to all 28 EU Member States as of May 25, 2018, governs the establishment of the Data Protection Officer in the following cases:

  • the processing is carried out by a public authority or a public body, with the exception of the judicial authorities when they exercise their judicial functions
  • the main activities of the Data Controller or the Data Processor consist in treatments which, by their nature, scope of implementation and/or purpose, require regular and systematic monitoring of data subjects on a large scale; in the large-scale processing of particular categories of personal data referred to in Article 9 (particular sensitive data) or data relating to criminal convictions

By particular categories of data (or sensitive data) we mean personal data that: “reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as treating genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or sexual life or sexual orientation of the person”.

DPO and data processing manager, two figures not to be confused. What is the difference between the two roles?

It is important to distinguish the figure of the DPO from that of the data controller.

The data controller is the natural person, legal person, public administration or authority which processes personal data on behalf of the data controller. Therefore, if the data controller outsources a service by entrusting it to a third party and as part of this service also entrusts them with personal data, the third party who performs the service on behalf of the owner is the data processor.

The DPO is instead the Data Protection Officer.

What are the DPO’s duties?

According to Article 39 of the GDPR, the DPO must carry out the following activities:

  • informs and advises the Data Controller or Data Processor and employees regarding their obligations deriving from the EU Privacy Regulation and other privacy regulations
  • monitors compliance with the GDPR and other privacy regulations as well as the policies of the Data Controller or the Data Processor regarding the protection of personal data, including the attribution of responsibilities, the awareness and training of the personnel participating in the treatments and related control activities (internal audits)
  • provides, when requested, opinions relating to the impact assessment on data protection and supervises the performance pursuant to Article 35
  • cooperates with the supervisory authority

Comments are closed.

Call us