What is a
DATA PROTECTION OFFICER?
A Data Protection Officer (DPO) is a security role required by the General Data Protection Regulation 2016/679 (GDPR) published in the official Journal of the European Union L 119 on 4 May 2016.
The DPO, historically present in some European legislations, is a professional who plays a role within a company (either in-house or outsourced) having legal competencies, e-skills, risk management and business process analysis skills. The main tasks of a DPO are to observe, evaluate and organize the personal data processing activities (and therefore the Personal Data protection) within a company (be it a public or a private one) so that personal data are processed in compliance with the European and national privacy laws.
In the Anglo-Saxon world such a professional may be called a Chief Privacy Officer (CPO), a Privacy Officer, a Data Protection Officer or a Data Security Officer.
Who can appoint the DPO?
The Data Protection Regulation, which came into force on 25 May 2016, will be applied to all 28 EU Member States as from 25 May 2018. It governs the appointment of the Data Protection Officer (in Italian Responsabile della protezione dei dati) in the following cases:
a) the processing is carried out by a public authority or a public body, with the exception of the courts when they exercise their jurisdictional functions;
b) due to their nature, scope and/or purpose the main activities of the Data Controller or the Data Processor require regular and systematic monitoring of data subjects on a large scale; or
c) the main activities of the Data Controller or the Data Processor are the processing, on a large scale, of particular categories of personal data referred to in Article 9 (special data |sensitive data) or of data relating to criminal offences and crimes referred to in Article 10.
Article 9 of the Regulation at paragraph 1 defines the special categories of personal data (former sensitive data) and in particular personal data that: "reveal the racial or ethnic origin, political opinions, religious or philosophical convictions, or union membership, as well as processing genetic data, biometric data intended to uniquely identify a physical person, data related to the health or sexual life or sexual orientation of the person".
What will the DPO do?
Article 39 of the European Data Protection Regulation lists the main tasks of the DPO (Data Protection Officer):
1. The Data Protection Officer | DPO | is responsible for at least the following tasks:
a) Inform and provide advice to the Data Controller or Data Processor as well as to employees processing the obligations arising from this Regulation as well as other data protection provisions of the Union or Member States;
b) Monitor compliance with this Regulation, other Union or Member State provisions concerning data protection and the policies of the Data Controller or Data Processor in the area of personal data protection, including the assignment of responsibilities, the awareness and training of personnel involved in the processing and related control activities;
c) If requested, provide an opinion on the impact assessment on data protection and monitor its performance in accordance with Article 35;
d) Cooperate with the supervisory authority; and
e) Act as focal point for the supervisory authority on issues related to the processing, including prior consultation as referred to in Article 36, and, where appropriate, consultations on any other issue.
2. The Data Protection Officer duly considers the risks inherent in the processing, while carrying out his/her duties thus taking into account nature, scope, context and purpose of the processing.
How can companies and consultants prepare for the future European Regulation?
The Association of Data Protection Officers (ASSO DPO) was created to accompany companies, privacy consultants and current Data Controllers and Data Processors in the professional training of future Data Protection Officers and namely through:
- A Scientific Committee that works for the development of standards and best practices;
- Working groups made up of members and experts who deepen important issues on Data Protection and prepare summary documents, which shall be presented through public meetings and seminars specifically organized for the members;
- The signing of agreements with partners that might bring benefits to the members (Conventions – Insurance companies, etc.);
- Workshops dedicated to members;
- The organization of an annual Congress that brings together Guarantors, privacy associations and DPOs from all over the world;
- The promotion of Advanced Training with agreements with training companies and Universities;
- The issue of the Certificate of Quality and Professional Qualification of the Provided Services and the insertion in the Professional Register of ASSO DPO (Law 4/2013).
- The exchange of experiences and ideas through the www.assodpo.it portal or the ASSO DPO linkedin group.
Will the members be able to use the ASSO DPO trademark??
Effective members actively following the activities of the Association shall be entitled to use the trademark which is governed by specific Regulations.