On 4 May 2016, the texts of the European Data Protection Regulation and the Directive governing the processing of personal data in the areas of crime prevention and repression were published in the Official Journal of the European Union (GUUE), which will be directly applicable in all EU Member States from 25 May 2018.
These regulatory instruments entered into force on 24 May 2016, with the aim of guaranteeing a coherent framework and an overall harmonized system in this field in the EU. An updated legal framework was necessary in view of the rapidity of technological evolution and globalization, which entail new challenges for the protection of personal data. Indeed, the sharing and collection of personal data have increased significantly and require a more solid and coherent legal framework and more effective implementation measures.
The European Privacy Regulation has introduced new protections for the interested parties and, consequently, new obligations for owners and managers of the processing of personal data, including companies.
The Data Protection Officer (DPO) is one of the many features provided by the new regulations, mandatory for companies with over 250 employees and for all public bodies. This professional profile, although unpublished on the Italian scene, appears to be historically present in some European legislation.
The DPO is a professional who holds a corporate role with legal, IT, risk management and process analysis skills. Its main responsibility is to observe, evaluate and organize the managing, processing and protection of personal data, within a company, so that these are treated in compliance with European and national privacy laws. The DPO will also be an independent figure and will report on his/her work directly to the top management, who, for the full execution of his/her duties, will have to provide the necessary resources.
The new Regulation provides that the person who will play this role can be both a company employee and an external consultant. On this point, it should be noted that, in any case, the DPO must be independent and exercise its functions without generating a conflict of interest. Therefore, although the DPO can also perform other tasks, these must not be incompatible. It is therefore difficult to reconcile the aforementioned needs within a company context, given that the function in question, if entrusted to employees, would easily determine a sort of self-monitoring, in contrast with the principles outlined above.
The German Privacy Guarantor, called upon to rule on the incompatibility of the examined role posed on the IT manager of a company, acknowledged the existence of a conflict of interest, given that the latter should have checked him/herself, verifying if his/her activities were in compliance with the legislation on the protection of personal data.
In addition, on 13.12.2016 the "Article 29 Data Protection Working Party" adopted some guidelines on the subject, which reaffirmed that, even if the Data Protection Officer is allowed to perform other functions at the same time, it must be ensured that "such duties do not give rise to a conflict of interests”.
Our Group has initiated the training of personnel necessary for the acquisition of the requirements and skills useful for DPO "certification".
For several years in the context of the security assessment carried out for our customers, we also evaluate the privacy aspects that impact the dynamics of access control and the management of personal data concerning video surveillance in the workplace and business tools.
Call the toll-free number to immediately receive an estimate and obtain a free and confidential advice. Alternatively, use the form at the bottom of this the page to send us a request.