The appointment of the Data Protection Officer (DPO) is one of the most controversial points of the implementation of the new Reg. EU 2016/679 on data protection. The Data Protection Authority provides guidance on this matter through a series of FAQs.
The DPO is a key figure that is mandatory for public and private health facilities and has the task of assisting and supervising the internal processing of data, while also interfacing with all the external supervisory authorities. While its new functions may be not known to every public and private data controller, it is certain that the appointment – mandatory by 25 May 2017 – would be appropriate as for now, during the implementation of the General Data Protection Regulation.
In order to facilitate this task, the Data Protection Authority provided a series of answers to FAQs, giving indications for the appointment within the Public Administrations and their concessionaires (for the healthcare area hospitals, local health authorities, nursing homes, accredited and contractualized healthcare facilities). The following is a summary of the questions and the relative answers of the Guarantor that appear relevant for the healthcare area.
In the event that the DPO is employed by a public authority or by a public body, what qualification must they have?
First of all it is necessary to assess whether the role of the DPO is compatible with the duties performed as an employee; the Guarantor in fact reminds that:
- the DPO must not receive instructions on how to perform his duties (Article 38, paragraph 3),
- must be able to act independently (recital 97),
- always reports to the highest management level (article 38, paragraph 3): this direct relation guarantees, in particular, that the administrative management is aware of the indications and recommendations provided by the DPO in the exercise of his information and counseling functions in favour of the controller or the processor.
Therefore, if an internal employee is chosen, it would be advisable to appoint a manager as DPO, namely a a highly professional official who is able to carry out their functions independently, autonomously and in direct collaboration with the high management levels.
Which certifications are suitable to legitimize the DPO in the exercise of its functions, pursuant to art. 42 and 43 of the GDPR?
The DPO is an “unregulated profession”: therefore any certifications that the DPO may have, while representing a valid tool for verifying the possession of a relevant level of knowledge of the discipline, are still not a “qualification” to exercise the role of DPO.
With what formal act should the DPO be designated?
- if the DPO belongs to the internal staff, a specific “Data Protection Officer” designation act is required,
- if the DPO is an entity outside the institution, the designation will be part of the service contract that governs their legal relationship
In the case of team or assignment activities to a company, it is however necessary to identify unequivocally a subject who will specifically act and identify as DPO. It is then necessary that, in the designation or service contract, the reasons that led the entity to choose that person to perform the role of DPO are indicated, even if briefly. In essence, the choice must be motivated.
Once the DPO has been identified, it is necessary to:
- communicate the designated person to the Data Protection Authority so as to facilitate contacts with the Authority
- include it in the information provided to the concerned parties,
- publish the name of the DPO on the website in the “transparent administration” section, as well as in the “privacy” section that may already be present,
- communicate the name to the data subjects in case of violation of personal data (Article 33, paragraph 3, letter b) (7).
Does the designation of an DPO within the public authority or the public body necessarily also require the establishment of a separate office?
The data controller (hospital, nursing home) is required to provide the RPD with the economic, structural and organizational resources to carry out its tasks. It follows that, in relation to the administrative and technological complexity of the processing activities and the organization, it will be necessary to carefully evaluate whether a single person can be sufficient to carry out all the tasks assigned to the DPO or if internal or external support will be required.
The outcome of this analysis will be able to evaluate the opportunity need to set up a special office to allocate the resources necessary for carrying out the established tasks. The obligation to identify the natural person who plays the role of DPO remains.
Is it permissible for the same controller/processor to have more than one DPO?
Nothing prevents from identifying figures of support, with reference to different sectors or territorial areas, provided they refer to a single DPO.
What are the additional tasks and functions that can be assigned to a DPO?
Article. 38 allows to assign further tasks and functions to the DPO, provided that:
- they enable the DPO to have sufficient time available to perform the tasks set out in the GDPR (Article 38, paragraph 2).
On this point, the Data Protection Authority believes that the assignment of further tasks is not appropriate for very complex subjects by activity and size (eg large hospitals).
By way of example, the Data Protection Authority states that the person responsible for the prevention of corruption and transparency, given the significant amount of work, should not be appointed as a DPO since the excessive amount of work could be such as to negatively affect the effectiveness of the performance of the tasks that the Regulation assigns to the DPO.
- do not give rise to a conflict of interests (Article 38, paragraph 6)
In the public sector, all the high level figures who have decision-making power in relation to the purposes and the means of the processing may be in a situation of conflict of interest: for example the Information Systems manager (required to identify the necessary security measures ), or the manager of the Statistical Office (required to define the characteristics and methods of processing personal data for statistical purposes).
Even in the case of external DPO, it is necessary to verify that they do not carry out additional tasks that involve situations of conflict of interest or are not able to efficiently fulfill their functions. In these cases, in the designation act or in the service contract, the DPO must provide appropriate guarantees to promote relationship trasnparency and prevent conflicts of interest.