One of the benefits introduced by GDPR is about conforming the terminology at European level. But it is verifiable a disadvantage related to the figures involved, leaving the Italian scheme of D. Lgs. 196/2003 and considering the linguistic difference.
Lgs.196/2003 GDPR
Titolare del trattamento Data Controller – Titolare del trattamento
Responsabile del trattamento Data Processor – Responsabile del trattamento
– Joint Controller – Contitolare del trattamento
– Data Protection Officer (DPO) – Responsabile della Protezione dei Dati
‘Titolare del Trattamento’ in D. Lgs. 196/2003 matches with “Data Controller”, but there is the only difference relative to the scope of applicability is extended to all Member States.
The Data Controller and Data Processor, already present in the Italian legislation, are no longer obliged to take minimum-security measures. However, they shall implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. The right way is “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”, implementing security measures for risk mitigation.
To demonstrate an adequate level of safety and adherence to the standard will then adhere to a “Code of conduct approved” or an international standard such as ISO, still unclear.
The Joint controller is not present in the Italian low. Therefore, for each personal data treatment, it could be possible that “two or more controllers jointly determine the purposes and means of processing”. In this way, a new level of complexity in the allocation of responsibilities could be introduced. Must be so planned the signing of an agreement governing the management and governance of data, expanding the scope from the world of IT controls and technological measures to the legal and contractual.
The Data Protection Officer is the new figure introduced by GDPR regulation in order to protect the privacy and personal data. The figure is mandatory for Public Administrations and big enterprises. Among its tasks are the checks and monitoring activities, inside the structure in which it operates and of record keeping requirement. It is also the figure nominee to cooperate with the supervisory authority and act as a contact point for the authorities.