A controversial decision from Italian Administrative Judges on the appointment of Data Protection Officers

Lawyer Vincenzo Colarocco

Among the factors that most contribute to decreasing the relevance of the DPO’s role are the professional selection methods. On the subject, the Administrative Court of the Puglia Region intervened on 13 September, with sentence n. 1468/2019, from which it is possible to deduce important considerations regarding the procedure for the designation of the Data Protection Officer.

The decision issued, has the effect of canceling the award of a two-year DPO assignment to a limited liability company, which had appointed, for the DPO role, an external consultant. According to the judges, indeed, based on an authentic interpretation of the Guidelines on Data Protection Officers (WP243), the company had proceeded to designate the DPO by appointing a professional external to the company, without specifying and proving that the latter belonged to that same company. Consequently, according to this interpretation, the subject who performs the functions of Data Protection Officer in the case of entrustment to a juridical person of the assignment, must be an employee of the company that offers the DPO service, as long as it is not possible to appoint an external professional.

The ruling of the judges, although it deals with the public sector, expresses a principle that has expansive potential even in the private sector, that, if it could be shared, it would make illegitimate a considerable number of appointments of DPO made in favor of legal persons, since the latter will constantly avail themselves of external professionals, who should guarantee specialist knowledge of data protection legislation and practices, as well as the ability to perform the tasks required by art. 37, par. 5 of the GDPR.