Data Protection Officer: not mandatory anymore

By | Saturday June 20th, 2015

The controller or the processor may, or where required by Union or Member State law shall, designate a data protection officer”.

This is the opening of Article 35 of the Regulation as amended and approved by the EU Council on the 11th of June and which the Presidency submits for approval as a General Approach.

Even limiting the scope of the evaluation to the following sentence, it is clear that major changes have been made to the previous version that stated: “The controller and the processor shall designate a data protection officer in any case where…”.

First change: “Shall” becomes “may”. That is, it becomes an option to appoint the data protection officer. This is in line with Recital 75 that states: “Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person with expert knowledge of data protection law and practices may assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.”

Second change: “or where required by Union or Member State law shall …“. This is quite a strange change, considering that one of the objectives of the new regulation was “one continent, one regulation” as opposed to the current situation where it is “one directive, 28 laws”. With the version approved by the EU Council, member States are again in the position to define their specific approach to Personal Data Protection and, consequently, to differentiate the rules and competition among States.

No incentives are in place to push the organizations to appoint a DPO, or, at least, they are very difficult to identify.

It is quite clear that the decision taken by the EU Council aims to remove a rule that could produce additional costs, especially for small and medium enterprises, without deleting it formally and taking into account that some member States may have already introduced such a rule.

Considering that almost all large enterprises already have a privacy department, stating that “… a person with expert knowledge … may assist the controller…” doesn’t mean that much.

Category: Data Protection Officer Tags: , , ,

About Sergio Fumagalli

Vice President Zeropiu Spa, system integrator specialized in digital identity and data security with operations in Italy and in the Nordics. After serving as MP in the Italian Parliament, I started a professional collaboration with the Data Protection Italian Authority and a professional activity on these topics. Co-author of “Privacy guida agli adempimenti”, IPSOA, 2004, 2005 a book on compliance to the Italian Law. Since 2008 member of the Oracle Community for Security - http://c4s.clusit.it/views/Homepage.html - and since 2014 member of the board of Clusit a leader association on IT Security in Italy Between 2004 and 2012 member of the board of Webank Spa, the online banc of the Banca Popolare di Milano group.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.