The decision-making autonomy and the extraneousness of the DPO with respect to the determination of the purposes and methods of the treatment are means of fundamental importance for restoring to those concerned that sovereignty over the circulation of their data
This is the scenario in which the Data Protection Officer or Responsible for the protection of personal data (later DPO or RPD) is inserted: a complex figure, which summarizes in itself the plot of principles, ethical before legal, which cloaks the European Regulation.
One thing must be clear : the tasks and responsibilities of the DPO cannot depend solely on market logic. Logics that, among other things, have recently fueled the proliferation of training proposals, among which it is often difficult to distinguish, with sufficient clarity, those really oriented to shaping the qualities and professional skills of this new figure and those instead aimed solely at release of the so-called “ quality stamps ” (often of doubtful value) to be pinned on the curriculum. The role of the DPO is too delicate to be debased through a commodification work (including certifications) which has (unfortunately) accompanied many roles / models of “responsibility” in other areas of law.
It is true , in fact, that the EU Regulation 2016/679 provides and incentives the establishment of data protection certification mechanisms in order to demonstrate compliance with the Regulation of treatments carried out (art. 42, par. 1) but, as rightly recalled by the Data Protection Authority with press release of 18 July , in Italy no accreditation body has yet been identified for the purposes of the Regulation, nor have the additional requirements for accreditation of the bodies been defined certification (art.43, par.1, letter b) and the certification criteria (art.42 par.5).
The designation of the DPO
It should be emphasized that, even when not mandatory, the designation of the DPO is particularly recommended for all cases in which the processing activities constitute probable sources of risk for the rights and freedoms of natural persons , based evaluations entrusted, in individual cases, to the Owners and Managers, in implementation of the fundamental principle of accountability. It is clear, therefore, that the Data Protection Officer cannot and should not have a function to protect the interests of the Owner and the Manager, but a role exclusively dedicated to the protection of personal data.
Here, therefore, the requirement of the DPO’s autonomy and independence in the exercise of its functions becomes essential , taking up in part the spirit of the system envisaged in Italy by Legislative Decree 231/2002, regarding the administrative liability of entities . As we know, ensuring that there are no constraints in performing complex tasks is far from trivial. Certainly, the hypothesis of framing the DPO in an addictive relationship with the Data Controller (or with the Manager) of the treatment would present more evident risks of asymmetry of powers and conflict of interest in the workplace, despite the express regulatory coverage. However, even in the absence of hierarchical constraints, the duty to act independently could be compromised if the assignment given to the external DPO assumed, in fact, the form of a simple professional mandate or a service assignment.