A Data Protection Officer (DPO) is a security role required by the General Data Protection Regulation 2016/679 (GDPR) published in the official Journal of the European Union L 119 on 4 May 2016.
The DPO, historically present in some European legislations, is a professional who plays a role within a company (either in-house or outsourced) having legal competencies, e-skills, risk management and business process analysis skills. The main tasks of a DPO are to observe, evaluate and organize the personal data processing activities (and therefore the Personal Data protection) within a company (be it a public or a private one) so that personal data are processed in compliance with the European and national privacy laws.
In the Anglo-Saxon world such a professional may be called a Chief Privacy Officer (CPO), a Privacy Officer, a Data Protection Officer or a Data Security Officer.
The Data Protection Regulation, which came into force on 25 May 2016, will be applied to all 28 EU Member States as from 25 May 2018. It governs the appointment of the Data Protection Officer (in Italian Responsabile della protezione dei dati) in the following cases:
a) the processing is carried out by a public authority or a public body, with the exception of the courts when they exercise their jurisdictional functions;
b) due to their nature, scope and/or purpose the main activities of the Data Controller or the Data Processor require regular and systematic monitoring of data subjects on a large scale; or
c) the main activities of the Data Controller or the Data Processor are the processing, on a large scale, of particular categories of personal data referred to in Article 9 (special data |sensitive data) or of data relating to criminal offences and crimes referred to in Article 10.
Article 9 of the Regulation at paragraph 1 defines the special categories of personal data (former sensitive data) and in particular personal data that: “reveal the racial or ethnic origin, political opinions, religious or philosophical convictions, or union membership, as well as processing genetic data, biometric data intended to uniquely identify a physical person, data related to the health or sexual life or sexual orientation of the person”.
Article 39 of the European Data Protection Regulation lists the main tasks of the DPO (Data Protection Officer):
1. The Data Protection Officer | DPO | is responsible for at least the following tasks:
a) Inform and provide advice to the Data Controller or Data Processor as well as to employees processing the obligations arising from the European Data Protection Regulation as well as other data protection provisions of the Union or Member States;
b) Monitor compliance with the European Data Protection Regulation, other Union or Member State provisions concerning data protection and the policies of the Data Controller or Data Processor in the area of personal data protection, including the assignment of responsibilities, the awareness and training of personnel involved in the processing and related control activities;
c) If requested, provide an opinion on the impact assessment on data protection and monitor its performance in accordance with Article 35;
d) Cooperate with the supervisory authority; and
e) Act as focal point for the supervisory authority on issues related to the processing, including prior consultation as referred to in Article 36, and, where appropriate, consultations on any other issue.
2. The Data Protection Officer duly considers the risks inherent in the processing, while carrying out his/her duties thus taking into account nature, scope, context and purpose of the processing.
The Association of Data Protection Officers (ASSO DPO) was created to accompany companies, privacy consultants and current Data Controllers and Data Processors in the professional training of future Data Protection Officers and namely through: