Consulting for the Appointment of the DPO (Data Protection Officer)
Who is the Data Protection Officer?
The DPO (Data Protection Officer) is the data protection officer of an organization, public or private. The definition of this role, a founding element of the principle of accountability, is due to the EU Regulation, which contains specific indications and details regarding the requirements and duties of this figure.
The person responsible for the protection of personal data is a figure identified by the European Regulation n. 2016/679, general data protection regulation (known as GDPR, from the English “General Data Protection Regulation”), which constitutes the fundamental rule on privacy and protection of personal data for all Member States of the European Union.
What does the DPO do?
The manager works as a consultant, performing an important function of support and stimulus to the organization. Specifically, its task is to assist the data controller in carrying out the activities and processes involving the processing of personal data, and must therefore ensure that the rules on privacy and data protection are safeguarded and respected .
When is the appointment of the DPO mandatory?
In some cases, the DPO is a figure that must be identified, but of great importance for companies and public bodies that process large amounts of data.
In particular, a DPO must be identified in the following cases, as required by art. 37 of the GDPR:
when the treatment is carried out by public authorities or by a public body, except the judicial authorities when they exercise their judicial functions;
if the activities and main professional duties of the data controller consist of treatments which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, including all treatments carried out for marketing by large companies, including online, or by any other means;
if the main activities of the data controller consist of the processing, on a large scale, of particular categories of personal data referred to in Article 9 (such as, for example, activities processing trade union or biometric data, credit institutions and businesses insurance) or data relating to criminal convictions and crimes referred to in Article 10.
Who appoints the data protection officer?
It is the data controller who designates the data protection manager, selecting a professional figure who is aware of the legislation on personal data and has the necessary skills in the legal area, in the area of cybersecurity and the assessment of risk, so that it is able to fulfill its role as established by law.
The appointed manager must ensure corporate compliance with the constantly changing law guaranteeing the flow of information in this regard to the Data Controller. Once the DPO has been designated, it is necessary to communicate his name to the supervisory authority, the Guarantor for the Protection of Personal Data.
identify a DPO (Data Protection officer), i.e. a lawyer, an engineer, or in any case a person who is aware of the legislation and practices on privacy, chosen among the employees or even external to the company, upon designation of who has the governance and management (or director) of companies, public bodies or public administrations. As the Guarantor Authority has specified, there is no obligation to designate subjects in possession of any certifications or attestations, because the only necessary requirement is that of knowledge of the relevant discipline.
inform and advise the data controller on the obligations deriving from this regulation as well as from other provisions of the Union or of the Member States relating to data protection; will be able to identify the guidelines to follow, in compliance with the EU directive in force and the GDPR and indicate the necessary procedures and the useful practice to adopt (for example, in cases of Data Breach).
verify compliance of the treatments carried out with the Policy and supervise mandatory compliance with the regulation, with other provisions of the Union or of the Member States, as well as with all the legal obligations established and communicated in any case, with the particular rules relating to a given sector, or of the internal regulations relating to data protection, as well as the title policies