Categories: Insights, Practice

Tag: DPO, Garante Privacy


27 Jul 2020

The Data Protection Officer: controls and sanctions in case of failure to designate same

With a decision dated 1 April 2020, the Spanish Data Protection Authority (hereinafter, the “Agencia Española Protección Datos” – “AEPD”) sanctioned a Spanish company doing business in the home delivery sector following the relevant online booking, used by thousands of customers, due to the failure to designate a Data Protection Officer (hereinafter, the “DPO” or the “Head of Data Protection”) pursuant to Article 37 of Regulation (EU) 2016/679 on personal data protection (hereinafter, the “Regulation”).

One of the new developments introduced by the Regulation is the role of the DPO. Indeed, Articles 37, 38 and 39 include provisions in connection (i) with the designation of the DPO (ii) with the position held by such role within an organisation and (iii) with the reference as to the minimum duties to be assigned thereto in light of the nature, scope of application, context and aims of the processing carried out by the Data Controller or by the Data Processor.  

However, if we stick to a literal interpretation of the Regulation, not all Data Controllers or Data Processors are under an obligation to designate any such role.

The above-mentioned line of interpretation arises out of the content of Article 37, based on which it is necessary to designate a DPO in any case where: “(i) the processing is carried out by a public authority or body (…)”, “(ii) the core activities (…) consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”, or (iii) “the core activities (…) consist of processing on a large scale of special categories of data (…) or personal data relating to criminal convictions (…).

From the very first interpretation of the Regulation, such cases have started considerable debate with the corresponding different stances on the side of law scholars. The expressions “large scale” “regular monitoring of data subjects on a large scale” are rather vague and, often, in the actual implementation of the Regulation, they may bring about interpretative doubts.

In this respect, the decision of the AEPD at issue is not only significant because it includes one of the first sanctions inflicted as from the entering into force of the GDPR following the ascertainment of the failure to designate the DPO, but also and moreover, because it constitutes a precedent in the definition and demarcation of the “large scale” concept. Indeed, the Spanish Authority emphasises the numerical significance of the data subjects affected by the processing as a necessary condition in order to ascertain the vague large scale concept.

Within our domestic scope, notwithstanding the rules under the Regulation, the Italian Data Protection Authority has clarified that it is also possible to designate a DPO even in those cases not falling within those imposed by the Regulation. Indeed, in light of any such clarification, it is good practice to accurately ground and document the reasons why the Data Controller, or the Data Processor, have made the decision to identify any such role or not.

Finally, we would like to recall that infringements of the obligations under the aforesaid Articles 37, 38 and 39 of the Regulation entails, pursuant to Article 83(4) of any such Regulation to the infliction of an administrative fine up to Euro 10,000,000.00 or, in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.

Others insights related:

FAQs of the Data Protection Authority on the Data Protection Officer of Personal Data

DO YOU KNOW THAT.. The GDPR has introduced the DPO?

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…