Share This Article
In a significant decision, the Italian Data Protection Authority (the Garante) addressed a critical issue concerning the roles of Data Protection Officer (DPO) and legal representative within organizations operating in Italy.
The Garante concluded that appointing the same individual as both the DPO and the legal representative of a company constitutes a conflict of interest, thereby violating the General Data Protection Regulation (GDPR).โ
Understanding the Roles: DPO vs. Legal Representativeโ
Under the GDPR, the DPO is responsible for overseeing data protection strategies and ensuring compliance with data protection laws. Crucially, the DPO must operate independently, without receiving instructions regarding the exercise of their tasks, and must report directly to the highest management level.โ
Conversely, a legal representative under Italian law is an individual with representation powers of a company such as a director of the company who typically holds a position of authority within the organization, making decisions about the purposes and means of data processing. According to the Garante, this dual role inherently compromises the DPO’s required independence, as the individual cannot objectively monitor compliance with data protection laws if they are also responsible for determining data processing activities.โ
The Garante’s investigation also revealed that a company had appointed its legal representative as the DPO without notifying the authority, as mandated by Article 37(7) of the GDPR and required even if the DPO was notified to other EU data protection authorities. This appointment violated several GDPR provisions:โ
- Article 37(6): The DPO must not hold a position that leads to a conflict of interest.
- Article 38: The DPO must perform their duties independently.
- Article 39: The DPO’s tasks include monitoring compliance, which is compromised if they are also the legal representative.โ
As a result, the Garante imposed a fine of EUR 70,000 on the company for these violations.โ
Implications for Organizations operating in Italyโ
This decision serves as a critical reminder for organizations operating in Italy to carefully assess the appointment of their DPOs. Ensuring that the DPO operates independently and without conflicts of interest is not just a regulatory requirement but also a cornerstone of effective data protection governance.โ
Organizations must avoid assigning the DPO role to individuals who have decision-making authority over data processing activities, such as legal representatives or other senior executives. Instead, they should appoint individuals who can objectively oversee data protection compliance without undue influence.โ
The Garante’s decision underscores the importance of maintaining clear boundaries between roles within an organization to uphold the integrity of data protection practices. By ensuring that the DPO operates independently and free from conflicts of interest, organizations can better protect personal data and comply with the stringent requirements of the GDPR.โ
On the same topic, you can read the article “The Italian privacy authority rules on the definition of personal data and the relevance of the DPOโs opinion“.