Giancarlo Butti has proposed the interesting topic concerning individuation of the role assigned to bodies in charge of vigilance and control within instances of personal data processing; these bodies are by their nature independent to the entity they supervise, even when being part of it.
Among them, Butti has chosen as example the Organismo di vigilanza – that as provided for by Legislative Decree 231/2001, has supervision tasks towards the organizational model of the body it supervises – and the Board of Statutory Auditors (Collegio sindacale), this latter – as known – an entity with tasks of ex post vigilance towards determined corporations.
In these cases, it is traditionally doubtful whether they carry out autonomous data processing independently from the ones made by the entity they supervise, and therefore they qualify as Data Controllers, or if their data processing are to be intended as attributable to the body subject to supervision, and therefore qualifying as Data Processors.
The doubt is originated from the requisites of independence prescribed by law -essentially consisting in autonomy from any form of interference or conditioning and absence of conflicts of interest – to those organizations in relation to the body subject to supervision, of which they are an expression.
Referring to Organismo di Vigilanza, the law provides for “it is an entity’s organization provided with autonomous powers of initiative and control” (sec. 6.1, let. B) Legislative Decree 231/2001) on the efficient execution of the Organizational, Management and Control Model by the entity.
For its part, the Board of Auditors, as provided for by sections 2403 and 2403-bis of the Italian Civil Code, may supervise also through acts of inspection and control – which may be executed by Auditors through auxiliaries and employees – in concerns of law and statute compliance as well as in regard of regular conduction of organizational, administrative and accounting assets of the body subject to supervision.
It seems to me that the essential requisites of independence and autonomy of this organization from the entity subject to supervision account for incompatibility between implementation of their typical role and the Data Processor’s figure, which is always following instructions of the Data Controller.
Thus, in this instance, this would necessarily translate into unacceptable conflicts of interests between the monitoring organization (body in charge of vigilance and control – processor) and the monitored body (company – controller).
However, it is certain that even these organizations process personal data within execution of their tasks, therefore requiring compliance to law.
But, are those data processing to be intended as autonomous or connected to those executed by the body subject to supervision?
In other words, given that the monitoring organization, in light of its inner features, is to be intended as autonomous and independent in determining the finalities and means of processing – then qualifying as a controller- are these processes correlated or definitely separated from those of the body subject to supervision?
The answer to this question, I believe, influences the means of actualization of lawful processing and identification of related responsibilities.
It is not easy to clarify these aspects, but I believe the base for argumentation would be investigating the connection between the finalities pursued by supervisory body and body subject to supervision.
Within this view, we may say that the body subject to supervision pursues its own finalities of management and company administration, which naturally include compliance with laws, whereas the monitoring organization pursues investigative and surveillance finalities concerning compliance to specific laws, either anti-crime or administrative ones, which are identified a priori by law at constitution of the entity.
However, looking closer, it appears that the body subject to supervision is already bound to comply with specific laws; hence the supervisory organization is an instrument created to ensure full actualization of an internal supervisory system within the body, guaranteeing compliance.
In the meanwhile, the supervisory body holds decisional autonomy on the means of executing its tasks, and thus on the means of processing personal data within its supervisory activities, safety measures among them.
It seems to me that an instrumental correlation could be found between data processing of the supervisory organization and data processing, finalized to compliance, ascribable to the body subject to supervision.
In support for this correlation, the supervisory body is part of the business organization of the body subject to supervision, although with exceptional tasks, and thus its necessary autonomy and independence must be ensured with a dedicated budget and careful composition of the body in order to avoid future conflicts of interests. Moreover, supervisory procedures and other coordination instruments must be defined to avoid dysfunction of the body and enabling positive interactions.
If this is true, we may conclude saying that the bodies subject to supervision and supervisory bodies are controllers of their own data processes, finalized to the compliance of the body subject to supervision; both having different roles and thus different responsibilities in matters of personal data protection compliance.
Different considerations follow this perspective, concerning means of compliance related to personal data processing executed by supervisory body; compliance with supplying information notice to data subjects obligation that rests on the supervisory body will be met by the body subject to supervision with indication of supervisory body among the entities utilized to comply with law (see Italian DPA Provision 23.3.1998, web doc. 40999), providing clear indication of its specific investigative and supervisory finalities.
However, the supervisory body will be single-handedly in charge of other compliances, such as adoption of adequate safety measures, designation of liable individuals, formation and supervision of natural persons in charge of executing processing operations, but also all obligations of accountability in terms of doing (e.g. impact evaluation, risk reduction) and in terms of taking account for actions taken (e.g. registers of processing activities and adoption of procedures of privacy by design and by default) to ensure that processing complies with GDPR.
One last notation concerns the specific data controller authority provided for by GDPR: Data Protection Officer (DPO), whose task is assisting the controller/processor “supervising compliance with (…) regulation” (see considerations 97 GDPR) and granted by law with features of absolute independence and autonomy within execution of its tasks (see sec. 38 sub. 3 and 6 GDPR).
There may be no doubts within the organization layout of active subjects of processing: DPO is clearly a third party figure compared to controller and processor, and this role is explicitly required by data protection legislation as an adoptable instrument by the entity, controller or processor, within activities finalized to risks reduction. Thus DPO has a different role compared to controller and processor, while not being in an alternative position but on an auxiliary one.
Surely, DPO also executes processing of data within its task, and especially in this case the functional correlation and also an instrumentality feature between the entity’s general finalities (compliance with GDPR) and peculiar finalities of the DPO (assistance and supervision of GDPR compliance) are clearly visible.
In this context tough, the autonomy and independence of the body do not mean autonomous liabilities in matters of personal data processing: the legal obligation of compliance with GDPR rests exclusively on the controller and processor. In compliance with this obligation the controller and the processor, when provided with a DPO, must state explicitly the role’s tasks (sec. 39 GDPR) and provide “the necessary resources to fulfill those tasks and access personal data and processes and maintaining their own specialist knowledge” (sec. 38, sub. 2, GDPR).
The DPO does not have direct liability for sanctions or compensations caused by entity’s failure to comply with GDPR (not even, if the failed fulfillment were caused by negligence or fraud of the DPO; obviously in this case the entity may claim internal compensations, in form of contractual liability): such liabilities are thus provided for by law only for the controller and the processor (sec. 82 sub.1 and sec. 83 GDPR).
Hence the DPO does not represent an active subject of processing and those processes executed by DPO within its task are all ascribable to the accountability of the entity, whose decisions in matter of finalities (fulfillment of legal obligation to comply with GDPR) and means (definition of DPO’s role width, initiatives taken to ensure independence and autonomy within its tasks, voluntary decision of creating such body).
The design of the DPO role by the controller/processor becomes then a milestone for the coordination between, on one hand, autonomy and independence of the supervisory body towards the body subject to supervision and, on the other hand, the need of ascribing the processing executed by DPO among those of the controller/processor.
From the possibility to ascribe to the entity who designates the DPO the liability for processing executed by DPO, it should originate obligation of the entity to inform all potentially affected data subjects of the designation and powers of processing, which are clearly related to the supervisory tasks provided for by law (sec. 39 sub. 1 let. b) and c)), ascribable to DPO, in addition to the publication of DPO’s data which is compulsory according to sec. 37 sub. 7.