Controller Organisms and Privacy Roles

By | Monday January 9th, 2017

DPO’s position, as is known, has among its tasks (art. 39-1b):

to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

 Furthermore, according to art. 38 sub.3:

 The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks.

In such context then, DPO decides autonomously regarding processing activities within its specific task, similarly to what a controller does, as better stated by article 4 of GDPR:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Such feature is not only typical of DPO, which being a well-defined role in GDPR, does not configure as controller even if carrying similar characteristics, but it can similarly be found in other control organisms already present in various Italian organizations as being provided for by other regulations.

I am referring especially to Supervisory Bodies constituted by reason of 231/01 Law and Boards of Auditors. The task of these bodies is, simplifying, to supervise the conduct of a specific organization; within this task they are completely autonomous, they determine the purpose and means of the processing.

In other words such bodies configure as distinct and autonomous controllers in regards to the organization they have to supervise

Category: Data Protection Officer Legal framework

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.