We are not obviously talking about technical roles, endowed with administrative privileges, but rather about roles stated with Decision of Italian DPA:
Measures and precautions prescribed to data controllers of electronic processes concerning functions of the system administrator – November 27 2008
and subsequently modified with decision on June 25th 2009.
Such Decision, as is known, states that natural persons meeting determined objective features (type of activity) and subjective features (controller and processor must conform to evaluation criterions equivalent to those required to designate liabilities pursuant to section 29) shall be formally appointed as System Administrators, requiring execution of several activities such as tracking of logins in the processing system and the electronic archives.
The Decision clearly states the perimeter of application:
2. pursuant to section 154, subsection. 1, letter c) of Personal Data Protection Code, Controllers of processed personal data gathered through electronic means within application of the Code, even those concerning police and judicial settings (sec. 46 and 53 of Code), are required to adopt the following measures, with exception of processing carried within public and private administrative/accounting purposes, carrying lower risks for the persons concerned and having been simplified through recent laws (sec. 29, Decree – August 25-2008, n. 112, as converted with amendments by act n. 133 dated August 6-2008; section 34 of the Code; Italian DPA’s Decision November 6-2008):
At the emanation of Decision it was not clear what did processing for administrative/accounting purposes mean, but in 2011 with Decree n.70 dated May 13 2011, as converted with amendments into act n.106, dated July 12 2011, in section 34 of Legislative Decree 196/03 subsection 1-ter was added, defining these processes.
Now, a simple reading of the quoted subsection hereby reported, highlights how extended is the range of such definition:
Section 34. Processing by electronic means
1-ter. For the purpose of applying the provisions concerning the protection of personal data, a processing operation performed for administrative and accounting purposes shall by any processing operation that is related to the performance of organizational, administrative, financial and accounting activities irrespective of the nature of the processed data. The said purposes apply, in particular, to in-house organizational activities, the activities aimed at fulfilling contractual and precontractual obligations, managing employer-employee relationships, keeping accounting records, and implementing the legislation on taxation, trade unions, social security and welfare, and occupational health and safety.
Such definition implies that an organization would realize very few processes (if ever carried out) outside the range of the quoted definition.
It is up to each organization to evaluate, according to their data processes and to what is hereby expressed, whether the role of system administrator is still necessary.