TAR, Friuli Venezia Giulia, section I, judgment of 13/09/2018 No. 287
The Tar de Friuli Venezia Giulia intervenes on the requirements that the DPO must fulfill in the context of the new European Privacy Regulation and on the role of the certifications for the selection by the public administrations of this latest role.
The role of the Dpo (data protection officer) is eminently legal, according to the administrative court.
In the case The Regional Administrative Court ANNUALLA a bankruptcy procedure aimed at the appointment of in Dpo in the public sphere specifying that “ Coming to the merit of the appeal, believes the Board that it is manifestly founded in relation to the contested identification of the ISO / IEC / 27001 Auditor / Lead Auditor certification as a requirement for admission to the selective procedure (complaint 1.1, introduced in the appeal, repeated in the reasons added to No. 3)”.
On this point, it should be noted that the aforementioned certification does not constitute, as objected by the applicant, a qualifying title for the purposes of hiring and performing the functions of data security manager, in the riverbed of the discipline introduced by the GDPR , having to consider that:
- on the one hand, the ISO 27001 standard is prevalently applied in the context of business activity (suffice it to note that the references addressed to it, by the national legislator and by the Euro-unitary system, essentially concern the requirements of economic operators, such as example occurs in the case of art.93, paragraph 7, Legislative Decree no.50 of 2016, on the subject of guarantees for participation in the assignment procedures in ordinary sectors);
- on the other hand, the same rule, however potentially extensible to the activity of public administrations, is without prejudice to the application of special provisions (euro-unitary and national) on the protection of personal data and confidentiality (point 18 “compliance” of the aforementioned ISO standard; see in particular: 18.1.1 and 18.1.4), so that the meticulous knowledge and application of the sector regulations remain, regardless of whether or not they possess the certification in question, the essential and irreducible core of the professional figure sought through the selective procedure undertaken by the Company, whose profile, for the aforementioned considerations, can only qualify as eminently legal. li>
It follows that the certification , indicated in the notice, in itself cannot constitute an admission requirement for the selection under consideration (let alone rise as an equivalent to the required degree), precisely because it does not grasp (or does not fully grasp) the specific guarantee function inherent in the assignment, whose main object is not constituted by the provision of mechanisms aimed at increasing the levels of efficiency and security in the management of information, but if anything, as noted in the appeal, concerns the protection of the fundamental right of the individual to the protection of personal data regardless of the methods of their propagation and the forms, albeit lawful, of use “.
Fonte: the sun 24 hours
Do not take unnecessary risks waiting for the last moment to adapt, in case of non-compliance with the privacy obligations, the European Privacy Regulation provides for administrative fines of up to € 20,000,000 or up to 4% of your turnover if greater than this amount.