The Data Protection Authority, on 26 March 2018, published on its official website a series of clarifications regarding the appointment and duties of the Data Protection Officer (“DPO”). In particular, the Authority listed all the persons obliged to appoint a DPO pursuant to Article 37 (1), b) and c) of Regulation (EU) 2016/679 and underlined that “in any case in the light of the principle of accountability inspiring the Regulation it is recommended to appoint a DPO even in instances of non-compulsoriness.” Otherwise, the Authority simply reiterated the provisions of the Regulation: (i) a group of undertakings may appoint a single data protection officer; (ii) the data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract (in this case, a public body can be appointed as DPO); (iii) the data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests; (iv) characteristics and requirements of the data protection officer. The publication of this document is the continuation of the coordination and interpretation activity that the Authority is carrying out, and therefore it will come as no surprise the fact that from today until 25 May other “interpretative” documents may be published (e.g., guidelines, FAQs) relating to other provisions of the Regulation.
