The Data Protection Authority, on 15 December 2017, published on its official website a series of clarifications regarding the appointment and duties of the Data Protection Officer (“DPO”). More specifically, the Data Protection Officer must have specific skills, preferably, whenever appointed internally, be a Manager or a high ranking professional to be appointed with a specific deed. The Data Protection Authority, in addition, clarifies that this task cannot be carried out neither by the corporate IT System’s Manager nor any other professional figure with conflict of interest. In addition, the Data Protection Authority points out that even though there are no diplomas or degrees suitable to train the Data Protection Officer, even if he/she must have specific legal knowledge, now there are a variety of courses that offer specific training on the matter and the Data Protection Authority recommends attending them. In fact, it is reminded that the appointment of a non-competent person or a person not suitable to carry out the role of Data Protection Officer could lead to fines for the Data Controller, among which the payment of administrative fines. Finally, it is specified that the role could be held also by a legal entity, as long as there is an individual within the company that acts as a reference.

The Data Protection Regulation 2016/679, which will become fully effective on 25 May 2018, has introduced among others the figure of Data Protection Officer (DPO). In consideration of the first requests for clarifications on their appointment, the Data Protection Authority, in its Newsletter no. 432 of 15 September 2017, has provided specific indications. In particular, the Authority has clarified that the public administrations, as well as private entities, when selecting a Data Protection Officer, must verify that they have specific competences and experiences, and that, on the contrary, no formal certifications of professional knowledge or registrations in proper rosters are required. In the opinion of the Authority, a DPO must in fact have a profound knowledge of the legislation and standard practice on privacy, and of the peculiar administrative rules and procedures of the relevant sector.  In any case, the Authority has reserved the right to provide further indications following the questions and requests for clarification on the Regulation, gathered during specific meetings that the Authority will hold with public and private entities.