Share This Article
A new Italian court ruling on the DPO liability regime under GDPR in the context of cyber fraud confirms that Data Protection Officers bear no responsibility for cybersecurity breaches caused by their clients’ failure to act on documented recommendations.
The Court of Florence, in Decision No. 3034 of May 29, 2026, delivered this landmark decision clarifying the boundaries of the DPO liability regime in the context of a Business Email Compromise (BEC) attack worth € 390,000.
The decision represents one of the first Italian court rulings to directly address the DPO liability regime and whether a Data Protection Officer can be held liable for a cybersecurity breach suffered by the company that appointed them. This judgment is essential reading for any organization seeking to understand the DPO liability regime at the intersection of GDPR compliance and cybersecurity incident response.
The Facts: A BEC Attack and a Blame Game
The case involved a company operating in the utility sector — specifically providing services and technologies for managing water, gas, energy, and heat consumption — that had appointed an external firm as its Data Protection Officer. On March 5, 2024, the company fell victim to a sophisticated BEC attack: cybercriminals intercepted email communications between the plaintiff and one of its suppliers, impersonated the supplier’s staff, and requested a change of IBAN details for pending payments. The company, misled by the fraudulent emails, transferred a total of € 390,000 to accounts controlled by the attackers.
Following the incident, the company opposed a payment order that the DPO firm had obtained for unpaid professional fees. The company argued that the DPO had failed to properly perform its duties by not implementing essential cybersecurity measures, thus enabling the fraud. Additionally, the company raised a counterclaim for € 390,000 in damages, alleging that the DPO’s negligent conduct had a direct causal link to the loss. The company also alleged a conflict of interest between the DPO firm and a separate IT consultancy firm due to partial overlap in their corporate ownership structure.
The Court’s Analysis: The DPO Liability Regime Under GDPR
To define the applicable DPO liability regime, the Court of Florence began its analysis by carefully delineating the role of the DPO under Articles 37, 38, and 39 of the GDPR, read in conjunction with the relevant recitals and the Article 29 Working Party Guidelines on DPOs (WP29). This systematic approach to the DPO liability regime is noteworthy and provides practitioners with a well-reasoned judicial interpretation of the DPO’s perimeter of responsibility.
The Advisory Nature of the DPO Liability Regime
The Court emphasized that, pursuant to Article 39(1)(a) and (b) GDPR, the DPO’s core tasks are to “inform and advise the controller or the processor and the employees who carry out processing of their obligations” and to “monitor compliance” with the GDPR and other applicable data protection provisions. The DPO’s expertise must be proportionate to the sensitivity and confidentiality of the data processed by the organization, as specified by Recital 97 and Article 37(5) GDPR.
Crucially, the Court stressed that the DPO never assumes executive functions. Under Article 24(1) GDPR, it is the data controller — not the DPO — that must “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” Consequently, in case of non-compliance with the GDPR’s requirements, liability rests exclusively with the controller and, where applicable, the processor (as also confirmed by the WP29 Guidelines at p. 22).
Under this liability regime, the Italian Court described the DPO as a figure tasked with verifying the controller’s data processing activities and expressing a judgment of conformity or non-conformity, while also providing “information, advice, and guidance.” This characterization of the DPO liability regime is consistent with the European Data Protection Board’s longstanding position and should serve as a definitive reference point in the Italian legal landscape.
Evidence of Diligent Performance
Having established the legal framework, the Court examined whether the DPO firm had diligently performed its contractual obligations. The contractual scope — set out in Article 4 of the engagement agreement — substantially mirrored the statutory tasks under Article 39 GDPR, requiring the DPO to provide periodic audits, gap analysis and remediation plan reports, regulatory updates, and opinions on data protection impact assessments.
The evidence on file demonstrated that the DPO had fulfilled these obligations thoroughly. In particular, the DPO had:
Flagged as early as 2022, through informal communications, the urgent need for cybersecurity improvements, including the adoption of two-factor authentication (2FA) for VPN access and the creation of a dedicated server network with defined access rules. The company’s own representative acknowledged being “very (too) exposed” to risk but expressed the need to keep costs under control.
Recommended in 2023 targeted staff training on recognizing fraudulent emails, specifically warning the company to “consider the possibility of conducting brief specific training on the problem of scam emails and how to recognise them.”
Issued formal audit reports rating the company’s “IT/technological security measures” as “Improvable” and its “IT authentication/authorisation systems” as “Not acceptable.” In Internal Audit Report No. 1 of January 22, 2021, the DPO flagged that personal data was being transmitted by email “without the adoption of security measures” and proposed a risk assessment and the implementation of adequate security measures as corrective actions.
Maintained continuous and diligent engagement with both the company’s legal representative and its IT consultant.
The Conflict of Interest Argument
The Italian Court also dismissed the alleged conflict of interest between the DPO firm and a separate IT consultancy, noting that the GDPR itself (Article 37(6) and Recital 97) permits a DPO to be an employee of the controller. If an employment relationship does not preclude independence, then a fortiori, the mere partial overlap in ownership between two legally distinct entities does not establish incompatibility.
The Court referenced the WP29 Guidelines’ catalogue of conflict-of-interest situations, which focus on senior management roles or positions that involve determining the purposes and means of processing — none of which applied in this case.
The Temporal Disconnect
A further decisive element was that the DPO firm had formally terminated its engagement effective December 31, 2023 — more than two months before the BEC fraud occurred on March 5, 2024. Therefore, even hypothetically assuming any breach of duty, the fraud did not occur during the DPO’s mandate.
The Ruling
The Italian Court rejected the opposition in its entirety, confirmed the original payment order, and ordered the plaintiff to pay the DPO firm an additional €14,558.85 for outstanding professional fees, plus €22,457.00 in legal costs. The Court also rejected the DPO firm’s request for sanctions under Article 96 of the Italian Code of Civil Procedure (frivolous litigation), finding that the complexity of the applicable regulatory framework justified the plaintiff’s decision to litigate, even though its arguments were ultimately unsuccessful.
Key Takeaways for Organizations and DPOs
This judgment offers several critical lessons on the DPO liability regime for organizations, DPOs, and privacy practitioners:
- The DPO liability regime is advisory, not executive. The DPO’s mandate under the GDPR is inherently advisory and supervisory. Organizations cannot shift liability for security failures onto their DPO under this liability regime. The duty to implement adequate technical and organizational measures remains firmly with the data controller under Article 24 GDPR.
- Documentation is the DPO’s best defense. The DPO firm prevailed largely because it could demonstrate, through audit reports, emails, and formal communications, that it had repeatedly flagged the company’s cybersecurity vulnerabilities and recommended specific remedial actions. This underscores the importance of maintaining a comprehensive paper trail.
- Ignoring the DPO’s recommendations creates organizational liability. The company acknowledged its own overexposure to cyber risk yet failed to act on the DPO’s recommendations. In a follow-up proceeding — whether regulatory, civil, or otherwise — this failure could be used against the organization itself.
- Conflict of interest claims require substance. Mere corporate overlap between a DPO firm and an IT consultancy does not automatically create a conflict under GDPR, particularly where the two entities are legally separate and the DPO is not in a position to determine the purposes or means of processing.
- BEC fraud remains a major threat. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks caused over $2.9 billion in losses in 2023 alone, making them one of the costliest forms of cybercrime globally. The European Union Agency for Cybersecurity (ENISA) has similarly identified social engineering attacks, including BEC, as a top threat in its annual Threat Landscape reports. Organizations must invest in employee training, email authentication protocols (SPF, DKIM, DMARC), and payment verification procedures.
By firmly anchoring the DPO liability regime within the advisory and supervisory framework established by Articles 37–39 GDPR, the decision of the Italian Court sends a clear message: organizations cannot use their DPO as a scapegoat for cybersecurity incidents that result from their own failure to implement the measures recommended by that very DPO.
At the same time, the ruling highlights that DPOs who thoroughly document their advice, flag vulnerabilities, and maintain a proactive posture will be well-positioned to defend against claims of negligence. For organizations, the lesson is equally clear: appointing a DPO is not a substitute for investing in cybersecurity infrastructure and staff awareness. The GDPR’s accountability principle under Article 5(2) demands more.
On a similar topic, you can read the article “The DPO CANNOT be the Legal Representative of the Company in Italy“.