I say it now, it’s not that I’m nostalgic of the three-tiers organization (titolare, responsabile, incaricato) typical of the Italian national privacy legislation. Everybody said that with GDPR we will go back to the European binary model, with DATA CONTROLLER (responsabile) and DATA PROCESSOR (incaricato). Both roles can be natural or legal persons and appear since the provisions of the Art. 4 “Definitions”. Other roles are not provided, so the label of “processor” is covering simple workers as well as senior manageers and also supplier companies (outsourcers).
But are we pretty sure that things are set this way?
Re-reading with accuracy Art. 26 (which precisely describes the role of the processor) you will notice that it fits like a glove on the figure of an outsourcer (company or professional) but not at all on internal employees. See paragraph 1, in which the processor has to “put in place technical and organizational measures” to enforce the GDPR (we are clearly talking about a supplier, not of a single employee); even more in paragraphs 1 bis and 2 bis, dedicated to subcontracting; or paragraph 2, which asks not for an “appointment” but for a “contract” and bears a series of obligations typical of relations between companies (up to subsection G, which mentions the end of “provision of services”); or 2 bis bis, which concerns the use of “codes of conduct” or “certification mechanisms” clearly referable to companies. But not enough: the art. 35 on the role of the DPO defines the the cases in which controller and processor appoint a DPO; not to mention the references to “the bodies representing categories of controllers or processors” in paragraph 4 of Article. 35 but also in 38/1 bis and 39/1 bis, attributable solely to companies.
So let’s assume for a moment that the GDPR with the term “processor” essentially means an external services provider (similar to the “responsabile esterno” of the italian privacy law); but since the definition in Art. 4 paragraph 6 seems to clearly include employees (physical persons), is it possible that these will have no sign in the rest of the Regulation, given that Art. 26 ignores them at all? To tell the truth, two shy hints at these roles appear in Art. 37, where one of the tasks in charge of the DPO is to “inform and advise controllers and processors, as well as employees who process personal data” (which then appear for the first time as a separate entity from the processor ) and the “training of the staff involved in treatment“. Sure, it’s a bit ‘little to support that then there is a third role (the DATA HANDLER, distinct from the processor) but you will grant me some doubt on the strictly-two-tiers model…
Which practical consequences this interpretation could have is hard to say: even if this role exists, the GDPR makes mention of it only marginally. And this is a shame, because Privacy compliance also depends on procedures but especially on people behaviour: without the full involvement of employees everything becomes a mere formality. Don’t you think so?
Il tema è trattato all’articolo 27 che recita: “Articolo 27 Trattamento sotto l’autorità del responsabile del trattamento e dell’incaricato del trattamento
L’incaricato del trattamento, o chiunque agisca sotto la sua autorità o sotto quella del responsabile del trattamento, che abbia accesso a dati personali non può trattare tali dati se non è istruito in tal senso dal responsabile del trattamento, salvo che lo richieda il diritto dell’Unione o degli Stati membri.”
NB: questo post faceva ancora riferimento alla versione provvisoria del GDPR che circolava sino ad aprile.
Nel testo definitivo approvato è stata ripristinata la definizione di Responsabile (al posto di quella di Incaricato qui citata) e i riferimenti corretti sarebbero agli Art. 28 (per il mio intervento) a 29 (per la replica di Fumagalli).