June 11, 2021

The role of the DPO in the public sector: New guidance from the Italian Data Protection Authority

Thanks to Luca Russo for collaborating on this article

On May 24, 2021, the Italian Data Protection Authority (hereinafter the “Garante”) published on its website “Guidance on designation, position and tasks of the Data Protection Officer in the public sector” (“Guidance”). The Garante published this Guidance in response to several issues and questions that arose during the first three years of full application of the General Data Protection Regulation (“GDPR”). Notably, the Garante highlighted that quite often the obligation to appoint a Data Protection Officer (“DPO”) has been seen as a mere formality, with the importance of that role failing to be acknowledged, especially in the public sector.

The Garante underlined the importance of the DPO as the point of contact between the controller/processor and the relevant authority (the Garante itself): information and communications sent by the Garante to the controller/processor are also addressed to the DPO, and the controller and/or processor must involve the DPO in every aspect of a proceeding pending before the Garante. The Garante needs to communicate with someone with expertise and knowledge in the area of privacy and data protection.

Among all the aspects the Guidance encompasses, two are especially important: the appointment of a single DPO for several public entities and conflicts of interest regarding the position of the DPO.

The Garante acknowledged that in the public sector, often several public entities (such as small municipalities) rely on a single DPO. This is a simplification provided by the GDPR itself (Section 37, para. 3) to cut costs and streamline the selection process. However, a few critical aspects arise: the high number of public entities to manage and the differences in processing their personal data (such as, for instance, the processing carried out for a healthcare facility as opposed to that for a public school) can hinder the work of the single DPO in the sense that, due to time constraints, the DPO may not adequately carry out their work. To solve these issues, the Garante stated that each public entity must evaluate, on the basis of the principle of accountability, whether the single DPO can carry out and perform their duties as DPO for all the public entities that selected them and may also assemble a team to provide assistance to the DPO or to predetermine the percentage of work to be carried out for each public entity.

This issue also seems to be closely linked to the low remuneration provided to DPOs in the public sector. According to the Garante, low renumeration pushes DPOs to accept multiple assignments from different public entities to reach an adequate level of pay, giving rise to the abovementioned issues.

Another issue the Garante tackled is the conflict of interest between individuals having different duties that may give rise to incompatibility with the role of DPO (e.g., a controller who is also DPO). To this end, WP29Guidelines on Data Protection Officers” provide best practices to avoid any kind of conflict of interest by identifying several leading roles that are fundamentally incompatible with the position of DPO (such as the financial manager, human resources director, or anyone who acts upon and establishes aspects of both privacy by default and privacy by design). Generally speaking, anyone appointed to a leading role in the controller/processor orbit and directly involved in decisions concerning processing modalities and purposes cannot be considered impartial enough to carry out the important duties and tasks of a DPO. The Garante found that several processors for public entities were also designated as DPOs, thus hindering further the potential for these individuals to carry out their tasks as DPOs. This critical issue also arose in all public entities that designated their IT experts/department heads as DPOs: the Garante found that IT experts (who would, in essence, be supervising themselves in this scenario) are not impartial enough to monitor the procedural and technical aspects of processing, leading to a permanent conflict of interest.

< Back to blog
Welcome to the Portolano Cavallo Life Sciences blog focusing on legal development and key legal issues affecting the life sciences and healthcare industry.
...
Read more
Our highly-ranked team of professionals will provide news, insights and multidisciplinary commentary on the hottest and most recent regulatory, transactional and contentious aspects of the pharmaceutical, bio-tech, med-tech, food supplement and healthcare world with an eye on its digital transformation and technological developments.

This blog will be a place for focusing on digital health, telemedicine and artificial intelligence, as well as more traditional topics: from the protection of intellectual properties to performance of clinical trials, from the market access to advertising and competition issues, from internal and criminal investigations to M&A and venture capital transactions.

Close
March 20, 2023
Today, Regulation (EU) 2023/607 extending the transitional provisions for the placing on the market and putting into service of certain medical devices and in vitro diagnostic medical device...
January 31, 2023
Clinical trials: Ministry of Health signed off on decrees that (i) reorganize ethics committees and coordinate their activities, (ii) determine the single tariff for the authorization proced...
December 19, 2022
On 13 December 2022, EMA, European Commission and HMA jointly adopted a recommendation paper on the introduction of decentralised elements in the conduct of Clinical Trials in the EU/EEA
September 21, 2022
Payback for medical devices: Decree quantifying the exceeding of the expenditure ceiling for medical devices at national and regional level for the years 2015, 2016, 2017 and 2018 published ...
September 1, 2022
The 2021 annual law for market and competition addressing, as to the healthcare sector, reimbursement of drugs, intermediate distribution, patent linkage and institutional accreditation of p...
Search by...
Search
Follow us on
Follow us on