First indication of the Italian Data Protection Authority (Garante Privacy) on how to choose the DPO: specific competences are required, not formal certificates

Public administration, as well as private subjects, should carefully choose a Data protection officer (DPO) verifying the presence of specific competences and experiences. Formal certificates attesting the possession of the knowledge or the membership to professional registers are not required. These are some of the indications furnished by the Italian Data Protection Authority in response to the questions concerning the appointment of this new important figure – introduced by the EU Regulation 2016/679 – that all public authority and many private subjects shall elect within May 2018.

In a remark sent to an hospital, the Office of the Italian Data Protection Authority reminds that the Data Protection Officers should have a deep knowledge of the legislation, of the privacy procedure and of the laws and administrative procedures characterizing that specific field. Moreover, the selection should privilege those who can demonstrate the professional qualities that better suits the complexity of the assignment by documenting the experiences, the participation to masters and to professional courses of study (especially if it indicates the level achieved).

For instance, the experts chosen by hospitals, because of the confidentiality of the data processing (such as health and genetic information) had better have a specific experience in that field and engage exclusively with that task. Furthermore, the Italian authority explained that the current regulation does not force the candidate to have formal certificates of the professional expertise. Such certificates, which may be issued also following verifications at the end of a training course, may represent a useful instrument to test the appropriate level of knowledge of a subject but they do not constitute a qualification to fulfil the role of DPO.

The current regulation does not consider the creation of a Data Protection Officer bar containing the requirements, knowledge, competences and competences of the members. Public authorities and private companies should independently select DPOs evaluating if they meet the requirements necessary to fulfill their tasks.

The Italian Data Protection Authority reserves to provide more information on the institutional website even following the questions and requests of further information on the Privacy Regulation collected during specific meetings between the Italian Authority and undertakings and the Public administration.

(from the Newsletter of the Italian Garante privacy No. 432/2017 of 15 September, 2017)