June 11, 2021

The role of the DPO in the public sector: New guidance from the Italian Data Protection Authority

Thanks to Luca Russo for collaborating on this article

On May 24, 2021, the Italian Data Protection Authority (hereinafter the “Garante”) published on its website “Guidance on designation, position and tasks of the Data Protection Officer in the public sector” (“Guidance”). The Garante published this Guidance in response to several issues and questions that arose during the first three years of full application of the General Data Protection Regulation (“GDPR”). Notably, the Garante highlighted that quite often the obligation to appoint a Data Protection Officer (“DPO”) has been seen as a mere formality, with the importance of that role failing to be acknowledged, especially in the public sector.

The Garante underlined the importance of the DPO as the point of contact between the controller/processor and the relevant authority (the Garante itself): information and communications sent by the Garante to the controller/processor are also addressed to the DPO, and the controller and/or processor must involve the DPO in every aspect of a proceeding pending before the Garante. The Garante needs to communicate with someone with expertise and knowledge in the area of privacy and data protection.

Among all the aspects the Guidance encompasses, two are especially important: the appointment of a single DPO for several public entities and conflicts of interest regarding the position of the DPO.

The Garante acknowledged that in the public sector, often several public entities (such as small municipalities) rely on a single DPO. This is a simplification provided by the GDPR itself (Section 37, para. 3) to cut costs and streamline the selection process. However, a few critical aspects arise: the high number of public entities to manage and the differences in processing their personal data (such as, for instance, the processing carried out for a healthcare facility as opposed to that for a public school) can hinder the work of the single DPO in the sense that, due to time constraints, the DPO may not adequately carry out their work. To solve these issues, the Garante stated that each public entity must evaluate, on the basis of the principle of accountability, whether the single DPO can carry out and perform their duties as DPO for all the public entities that selected them and may also assemble a team to provide assistance to the DPO or to predetermine the percentage of work to be carried out for each public entity.

This issue also seems to be closely linked to the low remuneration provided to DPOs in the public sector. According to the Garante, low renumeration pushes DPOs to accept multiple assignments from different public entities to reach an adequate level of pay, giving rise to the abovementioned issues.

Another issue the Garante tackled is the conflict of interest between individuals having different duties that may give rise to incompatibility with the role of DPO (e.g., a controller who is also DPO). To this end, WP29Guidelines on Data Protection Officers” provide best practices to avoid any kind of conflict of interest by identifying several leading roles that are fundamentally incompatible with the position of DPO (such as the financial manager, human resources director, or anyone who acts upon and establishes aspects of both privacy by default and privacy by design). Generally speaking, anyone appointed to a leading role in the controller/processor orbit and directly involved in decisions concerning processing modalities and purposes cannot be considered impartial enough to carry out the important duties and tasks of a DPO. The Garante found that several processors for public entities were also designated as DPOs, thus hindering further the potential for these individuals to carry out their tasks as DPOs. This critical issue also arose in all public entities that designated their IT experts/department heads as DPOs: the Garante found that IT experts (who would, in essence, be supervising themselves in this scenario) are not impartial enough to monitor the procedural and technical aspects of processing, leading to a permanent conflict of interest.

< Back to blog
Welcome to the Portolano Cavallo Life Sciences blog focusing on legal development and key legal issues affecting the life sciences and healthcare industry.
Read more
Our highly-ranked team of professionals will provide news, insights and multidisciplinary commentary on the hottest and most recent regulatory, transactional and contentious aspects of the pharmaceutical, bio-tech, med-tech, food supplement and healthcare world with an eye on its digital transformation and technological developments.

This blog will be a place for focusing on digital health, telemedicine and artificial intelligence, as well as more traditional topics: from the protection of intellectual properties to performance of clinical trials, from the market access to advertising and competition issues, from internal and criminal investigations to M&A and venture capital transactions.

October 6, 2023
CBD products: the Administrative Court suspended until October 24 the recent Decree of the Italian Ministry of Health listing cannabidiol for oral use among narcotic drugs, due to the lack o...
October 4, 2023
The Guidelines for regulating contractual relations between universities and research institutes and private sponsors were adopted by the relevant Italian Ministries following the amendment ...
September 21, 2023
CBS products: from September 20th, compositions for oral administration of cannabidiol obtained from Cannabis sativa extracts shall be considered as narcotic drugs in Italy, as they have bee...
July 27, 2023
Payback on medical devices: Italian government announces extension of payment deadline to October 30, 2023
July 21, 2023
On July 21, 2023, the Italian Ministry of Health published new guidelines on health advertising of self-medication drugs (OTC) and non-prescription drugs (SOP), including advertising on new ...
Search by...
Follow us on
Follow us on