Italian DPA: The role of the DPO is entirely incompatible with that of the company’s Legal Representative

The proceedings originated from a report by the Bank of Italy, which identified irregularities in the Company's requests for access to data from the Credit Risk Center.

The investigation began on June 13, 2023, with an inspection at the Company's premises. Specifically, it was found that the Company's legal representative, without proper authorization, had made numerous requests to access Credit Risk Center data on behalf of individuals. This raised concerns about the potential misuse of sensitive financial data.

The Garante's analysis highlighted severe deficiencies in the Company's data management practices. The investigation revealed that the Company collected personal data from customers through its website without providing adequate information to data subjects, violating Article 14 of the GDPR.

Moreover, data retention was managed irregularly: the personal information of over 70,000 customers was stored in a centralized database without a clear definition of retention periods and without a periodic deletion system. This resulted in a violation of the storage limitation principle under Article 5 of the GDPR.

Another significant aspect of the investigation concerned the relationships between the Company and third parties involved in data processing. It was found that several consultants and collaborators processed data on behalf of the Company without being formally appointed as data processors, as required by Article 28 of the GDPR. The existing contracts were generic and lacked specific details about the roles and responsibilities of the parties involved.

Finally, a serious conflict of interest was identified in the appointment of the Data Protection Officer (DPO). The Company had appointed its own legal representative as the DPO, in violation of Article 38 of the GDPR, which mandates the independence of this role. Additionally, the Company had failed to notify the Garante of the DPO's appointment, as required by Article 37.

In light of these findings, the Garante reaffirmed the importance of adhering to fundamental data protection principles, particularly the principles of transparency and fairness in processing. According to Article 5 of the GDPR, personal data must be processed lawfully and transparently, while Article 14 requires data controllers to provide clear information to data subjects regarding data processing.

The decision also emphasized the need for proper management of relationships between data controllers and processors, requiring clear contracts that define the activities carried out by external entities.

Most importantly, the decision underscored the crucial role of correctly appointing a DPO: the officer must be independent and free from any conflict of interest with the company's legal representative role.

Therefore, in light of these violations, the Garante declared the Company's data processing unlawful and imposed a fine of Euro 70,000. Additionally, the Authority imposed a series of corrective measures for the Company to comply with data protection regulations, specifically ordering:

The implementation of a clear procedure for data retention, defining specific timelines for deleting unnecessary data.

The immediate deletion of personal data of customers who have not used the Company's services and the removal of data retained beyond legal limits.

The establishment of contracts (or other appropriate legal instruments) with all third parties processing data on behalf of the Company, in compliance with Article 28 of the GDPR, clearly specifying roles and responsibilities.

The appointment of an independent Data Protection Officer in compliance with legal requirements, replacing the currently conflicted individual, and the formal notification to the Garante of the new DPO's appointment and the measures taken to ensure compliance with current regulations.

Moving from the Garante's provision, it should be recalled that the designation of a DPO must be based on criteria of independence, competence, and the ability to manage data protection.

To identify the ideal candidate, it is required to conduct an assessment of the DPO function, evaluating:

Moreover, the DPO should keep their skills up to date through continuous training, as data protection regulations are constantly evolving. 

The choice of a DPO cannot be improvised: a careful analysis of business needs and the professional's capabilities is essential to ensure GDPR compliance and effective corporate privacy management.​