DPO’s position, as is known, has among its tasks (art. 39-1b):
to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
Furthermore, according to art. 38 sub.3:
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks.
In such context then, DPO decides autonomously regarding processing activities within its specific task, similarly to what a controller does, as better stated by article 4 of GDPR:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Such feature is not only typical of DPO, which being a well-defined role in GDPR, does not configure as controller even if carrying similar characteristics, but it can similarly be found in other control organisms already present in various Italian organizations as being provided for by other regulations.
I am referring especially to Supervisory Bodies constituted by reason of 231/01 Law and Boards of Auditors. The task of these bodies is, simplifying, to supervise the conduct of a specific organization; within this task they are completely autonomous, they determine the purpose and means of the processing.
In other words such bodies configure as distinct and autonomous controllers in regards to the organization they have to supervise