Who is the Data Protection Officer and when is it mandatory?

It must not possess specific certifications or registrations in specific registers, but an in- depth knowledge of the legislationand practice on privacy . It is the Data Protection Officer , key figure introduced by the new European regulation on the protection of personal data – known to most as GDPR . Through an adequate professionalism, the DPO (acronym of Data Protection Officer) must offer the company the necessary advice to design, verify and maintain an organized system of personal data management . Furthermore, it must help the holder to adopt a complex of appropriate measures and guarantees with regard to the context. His actions must be carried out in complete independence and autonomy , without receiving instructions and reporting directly to the summits.


The Regulation n. 2016/679 on privacy does not contain indications on the professional qualities of the Data Protection Officer – or even Data Protection Officer (RPD). What we know today about this important figure is the result of a series of interpretations, not without misunderstandings. We know for sure that the DPO must:

• enforce the rules on privacy through the verification and continuous and constant monitoring of how the data are processed; 
•     know the legislation concerning data protection both at national and European level; 
•     know the GDPR regulations ; 
• have expertise in the field of legal , IT and assessment of risk ;

The Data Protection Manager may be chosen from within the company organization chart , or an external figure may be preferred . This jurisdiction must not be in conflict of interest . It is for this reason that the Regulation in question says that it can not be the CEO of the company, or the administrative, health and operational manager, as well as that of human resources. And finally, the Data Protection Officer will have to work in complete autonomy, without receiving any kind of education on his activities.


The legislation on the protection of personal data will come into force on 25 May next and, for some companies, the figure of the DPO will be mandatory . There are 3 hypotheses in which this figure must necessarily be assumed:

• in the event that the processing of data is performed by a public body or the Public Administration ; 
• when it comes to companies that deal systematically with large-scale personal data , for which continuous monitoring and observation over time is required. That is when the treatment is the core business of the company, even if related. For example, the core of a hospital is patient health, but to best perform this work, data processing becomes paramount. Therefore, a hospital is obliged to designate a DPO; 
• when it comes to activities that deal with itsensitive or judicial data on a large scale.

In general, the designation of a DPO is always recommended. Companies can decide in total autonomy whether to elect it or not. In this case, even if the appointment is voluntary , the Data Protection Officer must follow the same rules and will have the same duties as the mandatory one.

Once identified, the DPO must be nominated through a contract. The appointment must be communicated to the Corporate Audit Authority, or to the Privacy Guarantor .

Leave your comment