On May 24, 2021, the Italian Data Protection Authority (hereinafter the “Garante”) published on its website “Guidance on designation, position and tasks of the Data Protection Officer in the public sector” (“Guidance”). The Garante published this Guidance in response to several issues and questions that arose during the first three years of full application of the General Data Protection Regulation (“GDPR”). Notably, the Garante highlighted that quite often the obligation to appoint a Data Protection Officer (“DPO”) has been seen as a mere formality, with the importance of that role failing to be acknowledged, especially in the public sector.
The Garante underlined the importance of the DPO as the point of contact between the controller/processor and the relevant authority (the Garante itself): information and communications sent by the Garante to the controller/processor are also addressed to the DPO, and the controller and/or processor must involve the DPO in every aspect of a proceeding pending before the Garante. The Garante needs to communicate with someone with expertise and knowledge in the area of privacy and data protection.
Among all the aspects the Guidance encompasses, two are especially important: the appointment of a single DPO for several public entities and conflicts of interest regarding the position of the DPO.
The Garante acknowledged that in the public sector, often several public entities (such as small municipalities) rely on a single DPO. This is a simplification provided by the GDPR itself (Section 37, para. 3) to cut costs and streamline the selection process. However, a few critical aspects arise: the high number of public entities to manage and the differences in processing their personal data (such as, for instance, the processing carried out for a healthcare facility as opposed to that for a public school) can hinder the work of the single DPO in the sense that, due to time constraints, the DPO may not adequately carry out their work. To solve these issues, the Garante stated that each public entity must evaluate, on the basis of the principle of accountability, whether the single DPO can carry out and perform their duties as DPO for all the public entities that selected them and may also assemble a team to provide assistance to the DPO or to predetermine the percentage of work to be carried out for each public entity.
This issue also seems to be closely linked to the low remuneration provided to DPOs in the public sector. According to the Garante, low renumeration pushes DPOs to accept multiple assignments from different public entities to reach an adequate level of pay, giving rise to the abovementioned issues.
Another issue the Garante tackled is the conflict of interest between individuals having different duties that may give rise to incompatibility with the role of DPO (e.g., a controller who is also DPO). To this end, WP29 “Guidelines on Data Protection Officers” provide best practices to avoid any kind of conflict of interest by identifying several leading roles that are fundamentally incompatible with the position of DPO (such as the financial manager, human resources director, or anyone who acts upon and establishes aspects of both privacy by default and privacy by design). Generally speaking, anyone appointed to a leading role in the controller/processor orbit and directly involved in decisions concerning processing modalities and purposes cannot be considered impartial enough to carry out the important duties and tasks of a DPO. The Garante found that several processors for public entities were also designated as DPOs, thus hindering further the potential for these individuals to carry out their tasks as DPOs. This critical issue also arose in all public entities that designated their IT experts/department heads as DPOs: the Garante found that IT experts (who would, in essence, be supervising themselves in this scenario) are not impartial enough to monitor the procedural and technical aspects of processing, leading to a permanent conflict of interest.