Consulting for the Appointment of the DPO (Data Protection Officer)

Who is the Data Protection Officer?

The DPO (Data Protection Officer) is the data protection officer of an organization, public or private. The definition of this role, a founding element of the principle of accountability, is due to the EU Regulation, which contains specific indications and details regarding the requirements and duties of this figure.

The person responsible for the protection of personal data is a figure identified by the European Regulation n. 2016/679, general data protection regulation (known as GDPR, from the English “General Data Protection Regulation”), which constitutes the fundamental rule on privacy and protection of personal data for all Member States of the European Union.

What does the DPO do?
The manager works as a consultant, performing an important function of support and stimulus to the organization. Specifically, its task is to assist the data controller in carrying out the activities and processes involving the processing of personal data, and must therefore ensure that the rules on privacy and data protection are safeguarded and respected .

When is the appointment of the DPO mandatory?
In some cases, the DPO is a figure that must be identified, but of great importance for companies and public bodies that process large amounts of data.

In particular, a DPO must be identified in the following cases, as required by art. 37 of the GDPR:

when the treatment is carried out by public authorities or by a public body, except the judicial authorities when they exercise their judicial functions;
if the activities and main professional duties of the data controller consist of treatments which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, including all treatments carried out for marketing by large companies, including online, or by any other means;
if the main activities of the data controller consist of the processing, on a large scale, of particular categories of personal data referred to in Article 9 (such as, for example, activities processing trade union or biometric data, credit institutions and businesses insurance) or data relating to criminal convictions and crimes referred to in Article 10.
Who appoints the data protection officer?
It is the data controller who designates the data protection manager, selecting a professional figure who is aware of the legislation on personal data and has the necessary skills in the legal area, in the area of cybersecurity and the assessment of risk, so that it is able to fulfill its role as established by law.

The appointed manager must ensure corporate compliance with the constantly changing law guaranteeing the flow of information in this regard to the Data Controller. Once the DPO has been designated, it is necessary to communicate his name to the supervisory authority, the Guarantor for the Protection of Personal Data.