P&S supports and encourages proper Data Governance throughout the  management of the entire data lifecycle, with specific reference to data protection, cybersecurity and the right to privacy.

The European data protection Regulation, technically “European Regulation on the protection of personal data”, GDPR n. 679 of 2016 repeals the EC Directive n. 46 of 1995, and became fully effective on 25 May 2018.

The Regulation on the protection of personal data is made of 99 articles and about an half provide for the fine system, related to violations of obligations.

One in two articles therefore exposes you to heavy financial outlays.

In addition to the introduction of the Data Protection Officer (DPO), which is mandatory in certain cases, the new legislation also introduces an obligation for the owner of a company to notify the National Data Protection Authority (garante privacy) of the so-called “data breaches“.

In essence, companies are required to document their consent, to provide evidence of the legal basis of their actions, to keep and maintain a register of processing operations, to prepare a risk analysis and in some cases to carry out a privacy impact assessment.

Regulation 679 provides for the introduction of the right to be forgotten (right to be forgotten by the network), as well as the portability of data of users who transfer from one company to another.

The figure of the DPO is unprecedented in the history of EU law, although in practice in many Member States comparable figures can be found.

In Italy, the Authority has already been active in collaborating with private and public offices in the months prior to the full entry into force of the new obligations.

The appointment of a Data Protection Officer will be mandatory for all public authorities and all public entities, for other entities where the main activity carried out by the data controller or data processor is concretely expressed in the regular and systematic “large scale monitoring” of natural persons and finally for those who always process on a large scale particular categories of data or data relating to criminal convictions.

However, it is also advisable for persons who are not obliged to have a Data Protection Officer and, if it is decided otherwise, it is advisable to document the assessments that led to this decision.

The DPO is not personally liable for any failure to comply with the regulations: the burden of complying with the regulations in question lies either with the owner or the person responsible for processing personal data, who cannot coincide with the DPO.

For this reason, the latter must be guaranteed a certain autonomy and third party status with respect to the other internal figures, in fact he may not be penalized or removed from his post for the sole performance of his duties.

It must also be given sufficient resources to be able to play its role in the best possible way.

The Regulation does not concern itself with defining terms such as ‘main activity’ or ‘large-scale’.

Recital 97 of the Regulation seems to exclude the processing of data when this is only an ancillary activity: however, if the processing of data is an indispensable component to ensure certain services of the main activity, the appointment of a Data Protection Officer will be necessary.

With regard to the “large scale”, the Regulation has always been a non-detailed definition, indeed in recital 91 it seems to identify it negatively, providing that “the processing of personal data should not be considered a large-scale processing when it concerns personal data of patients or clients by a single doctor, healthcare professional or lawyer.

In any case, it is appropriate to take into account the number of subjects involved in the processing, the volume and types of data, the duration of the processing activity and finally the geographical scope of the same.

The tasks of the DPO are governed by art. 39 of the Regulation, and in particular they are highlighted:

  • inform and advise the controller or controller and the employees who carry out the processing;
  • monitor compliance with this Regulation, other Union or Member State provisions relating to the protection of personal data, including the allocation of responsibilities, awareness raising and training of personnel involved in processing and related control activities;
  • prepare, as requested, opinions relating to the impact assessment on data protection and monitor 
its performance in accordance with Article 35;
  • cooperate with the supervisory bodies;
  • to act as a contact point for authorities on issues related to processing, including prior consultation 
as referred to in Article 36, and to carry out, where appropriate, consultations on different issues.

In carrying out his or her tasks, the Data Protection Officer must carefully consider the risks involved in the processing, taking into account the nature, scope, context and purpose of the processing. 
The aspect that has made the most headlines in Italy is undoubtedly that of economic sanctions.

Indeed, almost half of the articles of the Rules of Procedure that came into force in May 2018 concern the application of administrative sanctions.

For breaches of obligations by companies, up to EUR 10 million can be punished, while for breaches of the principles of the regulation or the rights of the persons concerned, up to EUR 20 million can be punished.

Data Protection Officer and Data Protection Regulation

P&S Legal supports private companies and public bodies in resolving the critical issues arising from the privacy legislation with particular reference to the innovations introduced with the new Regulation 679 of 2016, also providing assistance both as DPO, both in the preparation of privacy models, without neglecting the fundamental and ineliminable aspect of the training of the active subjects withing the organization.


  • Data Governance Consulting
  • Data protection regulatory compliance assessment audits
  • Contracts and information on data processing, policies, cookies, data transfer
  • Executive and employee training
  • DPIA Privacy Impact Assessment
  • Analysis of legal risks and privacy exposures
  • Cyber Security
  • Data Protection Officer in corporate outsourcing
  • Continuing legal advice and support to the internal Data Protection Officer
  • Legal opinions on privacy and data protection
  • Regulatory and compliance assistance in relations with the national data protection Authority (notifications, authorizations, 
defense in litigation)
  • Incident Response, Crisis Management in Data Breach
  • Continued support for promotional and advertising activities in the area of privacy
  • Consulting in the management of databases