On December 15th 2017, the Italian Garante published the new “frequently asked questions” (FAQs) related to the Data Protection Officer (DPO) in the public sphere.
The main aim of the FAQs is to respond to the major questions and concerns that arose during the meetings held in June 2017 between the Italian Public Administrations and the Garante.
This document is a useful tool that can serve as a more specific guidance, in addition to the Article 29 Working Party (“WP29”) Opinion on DPOs (Guidelines on Data Protection Officers) to further clarify the DPO role in Italian Public Administrations.
The Garante, according to Art. 37 (1) (a) of the General Data Protection Regulation (“GDPR”), states that all public authorities and bodies have to designate a DPO, except for courts acting in their judicial capacity. However, the GDPR does not define what constitutes a ‘public authority or body’ and, according to the WP29, such a notion shall be determined under national law.
As a consequence, the public authorities and bodies obliged to designate a DPO shall be those enumerated in Articles 18-22 of the Italian Data Protection Code, such as: State administrations, national, regional or local non-economic bodies, regional or local Authorities, Universities, Chambers of Commerce, Industry, Crafts and Agricultural bodies, National Health Service entities, Independent Authorities etc.
Furthermore, the Garante strongly recommends the designation of a DPO to private entities exercising public functions, although they are not mandatory.