Categories: Insights, Practice

Tag: Garante Privacy, Responsabilità amministrativa


29 Jun 2020

Authority: legal classification for the purposes of Supervisory Body privacy

With a note of 16 October 2019, the Association of Supervisory Body Members as per Legislative Decree  231/2001 (the “Association”) asked the Italian Data Protection Authority (the “Authority”) for a meeting to discuss the issue of the subjective classification for privacy purposes of the Supervisory Body (the “OdV, Organismo di Vigilanza).

The Association’s arguments

The subjects defined by the Regulation (EU) 2016/679 concerning personal data protection (the “Regulation”) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 containing the provisions adapting national legislation to the Regulation (the “Privacy Law” and together with the Regulation the “Privacy Legislation”), include the (i) Data Controller, defined as “the natural person or legal entity (…) that, individually or together with others, determines the purposes and means of the processing”; (ii) Data processor, i.e. “the natural person or legal entity, public authority, service or other body that processes personal data on behalf of the data controller” and (iii) Party Authorised to process personal data, i.e. “(…) anyone acting under the authority” of the Data Controller or Processor.

The issue, discussed fully in case law starting from the first interpretations of the Regulation, witnessed a conflict between the argument whereby the Supervisory Body for correct application of the Privacy Legislation should be classified as the Data Controller and the argument that considered it as Data Processor, i.e. a third party in relation to the Controller but acting on its behalf.

The Association supported a third hypothesis where the OdV, “as part of the enterprise”, must not be defined as a Data Controller or a Data Processor but its subjective classification should be within the organisation of the Entity it is asked to supervise.

The Authority’s position

The Authority clarified that the OdV cannot be classified as an independent Data Controller since it does not have the right to determine its own duties. They, along with their operation, means and security measures as well as any attribution of resources, are defined by the enterprise’s management body based on the previously adopted organisational model.

Moreover, according to the Authority, the OdV is not even classified as an external Data Processor since the Regulation attributes to the latter a series of obligations and a consequent and direct liability if these obligations are not observed. Instead, should the OdV omit to perform controls on the compliance with the organisational models prepared by the Entity, the liability lies directly with the Entity and not the OdV.

With these explanations, the Authority upholds the argument sustained by the Association and clarifies that the OdV is not a separate body from the Entity but it is part of the same and the latter is assigned with defining the scope and procedures for exercising the duties to assign to it. Therefore, its members, as part of the Entity, as stated in articles 29 of the Regulation and 2-quaterdecies of the Legislative Decree 101/2018, must be designated as subjects authorised to process data that it learns of in exercising its function and must follow precise instructions provided to them by the Data Controller.

In light of the above, the Authority clarifies that such explanations, inferred based on the principles contained in the privacy legislation, do not exceed and are not in conflict with the provisions of decree 231 which attributes to the OdV autonomous powers of initiative and control for correct exercise of its functions.

Other related insights:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…