NewsNews-homepageProfessionals are not obliged to designate a Data Protection Officer (DPO)

by Giuditta Savonitto


From 25 May 2018 the EU Regulation 2016/679 concerning the protection of personal data of natural persons is applied, better known by the acronym of “GDPR” (General Data Protection Regulation). Email boxes across Europe have been flooded with informational messages updating the new privacy. What we have just witnessed has been a real race towards adaptation.

The uncertainties and doubts are not lacking. How should I proceed? Do I also return to the subjects required to adapt? Should I or should I do not appoint the Data Protection Officer?

These and other questions that every professional has asked himself. The Italian Privacy Authority came to help with a series of FAQs that answered in a simple and immediate way to some of the questions that for months have been affecting mainly the most modest professional realities. In particular, the Authority focused on the figure of the Data Protection Officer (DPO). The figure in question is a natural person designated by the Data Controller or by the Data processor to perform support and control functions regarding the correct application of the new legislation, constituting the point of contact between the Data Controller and the Authority.

But its designation in the private sphere is not mandatory for everyone. The Authority has in fact specified that, outside the cases provided for by article 37, par. 1, lett. b) and c) of the Regulations, i.e. subjects whose main activities consist of treatments that require regular and systematic monitoring of the interested parties on a large scale, the designation of the DPO is not imposed. Therefore, free-lance professionals working in individual form, individual or family businesses, and small and medium-sized enterprises with regard to data processing of suppliers and employees are excluded. A breath of relief for the most modest commercial and professional activities, but which constitute a numerically and economically significant reality.

The Authority, however, has specified that, despite the lack of a legal obligation, it is always advisable to designate this ‘manager’ because, in light of the principle of accountability, the Data Controller must be able to demonstrate that he has adopted a comprehensive process of personal data protection measures.