Authority: legal classification for the purposes of Supervisory Body privacy

With a note of 16 October 2019, the Association of Supervisory Body Members as per Legislative Decree  231/2001 (the “Association”) asked the Italian Data Protection Authority (the “Authority”) for a meeting to discuss the issue of the subjective classification for privacy purposes of the Supervisory Body (the “OdV, Organismo di Vigilanza).

The Association’s arguments

The subjects defined by the Regulation (EU) 2016/679 concerning personal data protection (the “Regulation”) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 containing the provisions adapting national legislation to the Regulation (the “Privacy Law” and together with the Regulation the “Privacy Legislation”), include the (i) Data Controller, defined as “the natural person or legal entity (…) that, individually or together with others, determines the purposes and means of the processing”; (ii) Data processor, i.e. “the natural person or legal entity, public authority, service or other body that processes personal data on behalf of the data controller” and (iii) Party Authorised to process personal data, i.e. “(…) anyone acting under the authority” of the Data Controller or Processor.

The issue, discussed fully in case law starting from the first interpretations of the Regulation, witnessed a conflict between the argument whereby the Supervisory Body for correct application of the Privacy Legislation should be classified as the Data Controller and the argument that considered it as Data Processor, i.e. a third party in relation to the Controller but acting on its behalf.

The Association supported a third hypothesis where the OdV, “as part of the enterprise”, must not be defined as a Data Controller or a Data Processor but its subjective classification should be within the organisation of the Entity it is asked to supervise.

The Authority’s position

The Authority clarified that the OdV cannot be classified as an independent Data Controller since it does not have the right to determine its own duties. They, along with their operation, means and security measures as well as any attribution of resources, are defined by the enterprise’s management body based on the previously adopted organisational model.

Moreover, according to the Authority, the OdV is not even classified as an external Data Processor since the Regulation attributes to the latter a series of obligations and a consequent and direct liability if these obligations are not observed. Instead, should the OdV omit to perform controls on the compliance with the organisational models prepared by the Entity, the liability lies directly with the Entity and not the OdV.

With these explanations, the Authority upholds the argument sustained by the Association and clarifies that the OdV is not a separate body from the Entity but it is part of the same and the latter is assigned with defining the scope and procedures for exercising the duties to assign to it. Therefore, its members, as part of the Entity, as stated in articles 29 of the Regulation and 2-quaterdecies of the Legislative Decree 101/2018, must be designated as subjects authorised to process data that it learns of in exercising its function and must follow precise instructions provided to them by the Data Controller.

In light of the above, the Authority clarifies that such explanations, inferred based on the principles contained in the privacy legislation, do not exceed and are not in conflict with the provisions of decree 231 which attributes to the OdV autonomous powers of initiative and control for correct exercise of its functions.

Other related insights:

• How to manage risk assessment in an emergency