The DPO is back again

By | Thursday December 10th, 2015

Data Protection Officer is mandatory, again.

Article 35 of the latest version of GDPR states that “The controller and processor shall designate a data protection officer in any case where: […] “.

To clearly understand which controllers and processors are included in such categories, the local language versions – and perhaps some comments – are needed.

Controller and processor are now required (if this will be the final version) to address the same compliance issues.

In any case all the above confirm that the “trilogue” (Commission, Parliament and Council) is very close to define and approve the GDPR.

Category: Data Protection Officer Legal framework Roles and Liabilities Tags: , , ,

About Sergio Fumagalli

Vice President Zeropiu Spa, system integrator specialized in digital identity and data security with operations in Italy and in the Nordics. After serving as MP in the Italian Parliament, I started a professional collaboration with the Data Protection Italian Authority and a professional activity on these topics. Co-author of “Privacy guida agli adempimenti”, IPSOA, 2004, 2005 a book on compliance to the Italian Law. Since 2008 member of the Oracle Community for Security - http://c4s.clusit.it/views/Homepage.html - and since 2014 member of the board of Clusit a leader association on IT Security in Italy Between 2004 and 2012 member of the board of Webank Spa, the online banc of the Banca Popolare di Milano group.

2 thoughts on “The DPO is back again

  1. Alessandro Vallega

    In the consolidated text dated Dec. 4th 2015, we find at the same article 35:

    The controller and the processor shall designate a data protection officer in any case where:
    (a) the processing is carried out by a public authority or body, except for courts acting in
    their judicial capacity; or
    (b) the core activities of the controller or the processor consist of processing operations
    which, by virtue of their nature, their scope and/or their purposes, require regular and
    systematic monitoring of the data subjects on a large scale; or
    (c) the core activities of the controller or the processor consist of processing on a large
    scale of special categories of data pursuant to Article 9 and data relating to criminal
    convictions and offences referred to in Article 9a.

  2. Dominick Leiweke

    Welcome back DPO. At least we got rid of some unnecessary ambiguity in the regulation, although some degree of discretion is required to ease national law harmonization, I’m happy the DPO is mandatory again.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.