P&S supports and endorses proper Data Governance with respect to data lifecycle management, and specifically in relation to privacy law, data protection and cybersecurity

The European Data Protection and Privacy Regulation, technically “Regulation on the protection of personal dataGDPR n. 679 of 2016 repeals the EC Directive n. 46 of 1995, and became fully effective on 25 May 2018.

The Regulation on the protection of personal data under review is composed of 99 articles and about half of these provide for the system of penalties for breaches of obligations on the part of companies.

One article out of two therefore exposes a company to heavy fines.

Among the changes provided for by the new legislation, in addition to the introduction and the obligation -in specific cases- of the new position of Data Protection Officer (DPO), it is introduced the obligation for the owner of a company to notify the Italian Data Protection Authority (Garante) of the so-called “data breach” (violations of the databases).

Essentially, companies are required to document their consent, to prove the legal basis of their actions, to keep and maintain a register of processing operations, to prepare a risk analysis and, in some cases, to carry out a privacy impact assessment.

Regulation 679 provides for the introduction of the right to be forgotten (the right to be forgotten by the network), as well as the portability of data of users who transfer from one company to another.

The figure of the DPO is unprecedented in the history of EU law, although in practice in many Member States it is possible to find comparable figures.

In Italy, the Guarantor Authority has already been active in collaborating with private and public offices in the months leading up to the full entry into force of the new obligations.

The appointment of a Data Protection Officer will be mandatory for all public authorities and all public entities, for other entities where the main activity carried out by the data controller or data processor is concretely expressed in the regular and systematic large scale monitoring of natural persons and finally for those who always process on a large scale particular categories of data or data relating to criminal convictions.

However, it is also advisable for persons who are not obliged to have a Data Protection Officer and, if it is decided otherwise, it is advisable to document the assessments that led to this decision.

The DPO is not personally liable for any failure to comply with the regulations: the burden of compliance with the regulations in question lies either with the owner or the controller of the personal data, which cannot coincide with the DPO.

For this reason, the DPO must be granted a certain autonomy and impartiality with respect to other internal figures, in fact, he may not be penalized or removed from his post for the sole performance of his duties.

In addition, he must be provided with sufficient resources to carry out his role in the best possible way.

The Regulation does not concern itself with defining terms such as “main activity” or “large scale”.

Recital 97 of the Regulation seems to exclude the processing of data when this is only an ancillary activity: however, if the processing of data is an indispensable component to ensure certain services of the principal activity, the appointment of a Data Protection Officer will be necessary.

As far as “large scale” is concerned, the Regulation has always been a non-detailed definition, indeed in recital 91 it seems to identify it in the negative, providing that “the processing of personal data should not be considered a large-scale processing if it concerns personal data of patients or clients by an individual doctor, healthcare professional or lawyer“.

In any case, it is appropriate to take into account the number of subjects involved in the processing, the volume and types of data, the duration of the processing activity and finally the geographical scope of the same.

The tasks of the DPO are governed by art. 39 of the Regulation, and in particular they are highlighted:

  • inform and provide advice to the data controller or data processor as well as to the employees who carry out the processing;
  • monitor compliance with these Regulations, other provisions of the Union or the Member States relating to the protection of personal data, including the allocation of responsibilities, awareness raising and training of personnel involved in the processing and related control activities;
  • prepare, as requested, opinions relating to the impact assessment on data protection and monitor its performance in accordance with art. 35;
  • cooperate with the bodies responsible for control;
  • act as a point of contact for authorities on issues related to processing, including prior consultation as referred to in Article 36, and carry out, where appropriate, consultations on different issues.
  • In performing his or her duties, the data protection officer must carefully consider the risks inherent in the processing, taking into account the nature, scope, context and purposes of the processing.

The aspect that has made the most headlines in Italy is undoubtedly related to financial penalties.

Indeed, almost half of the articles of the Regulation that will come into force in May 2018 concern the application of administrative sanctions.

For breaches of obligations by companies, in fact, it is possible to be punished with a fine as high as € 10 million, while in the event of a breach of the principles of the regulation or of the rights of the affected individuals, the fine can be increased up to € 20 million.

Data Protection Officer and Data Protection Regulation

P&S Legal helps private companies and public bodies in resolving the critical issues arising from the privacy legislation with particular reference to the innovations introduced with the new Regulation 679 of 2016, also providing assistance both as DPO, both in the preparation of data protection models, without neglecting the fundamental and ineluctable aspect of the training of the active subjects of the processing.


  • Data Governance Consulting
  • Data protection regulatory compliance assessment audits
  • Contracts and information on data processing, policies, cookies, data transfer
  • Executive and employee training
  • DPIA Privacy Impact Assessment
  • Analysis of legal risks and privacy exposures
  • Cyber Security
  • Data Protection Officer in corporate outsourcing
  • Continuing legal advice and support to the internal Data Protection Officer
  • Legal opinions on privacy and data protection
  • Assistance in relations with the authority of the Data protection Authority (notifications, authorizations, defense in litigation)
  • Incident Response, Crisis Management in Data Breach
  • Continued support for promotional and advertising activities in the area of privacy
  • Consulting in database management procedures

Contact us for a preliminary call.