DATA PROTECTION
Italian Data Protection Authority: the company that appointed its legal representative as DPO was fined 70 thousand euros.
Seven years after the GDPR came into force, the Italian Data Protection Authority had to reiterate a fundamental principle: the Data Protection Officer (DPO) cannot coincide with the legal representative of the company to which he or she has been appointed. The role of the DPO requires independence and autonomy, especially in the function of supervising the correct application of the rules on the protection of personal data.
By a provision of 28 February 2025, the Authority imposed a fine on a company active in the credit rehabilitation sector, following a report from the Bank of Italy. The story has highlighted how, despite the clear provisions of the European Regulation, there are still realities that do not understand the incompatibility between the role of DPO and that of legal representative.
According to Article 38 of the GDPR, the Data Protection Officer must be a person designated by the data controller or processor with the task of providing support, advice and training, as well as monitoring the application of privacy regulations. The DPO must be able to operate independently, without conflicts of interest and without receiving instructions on how to carry out his or her task, reporting directly to the company's top management.
However, the checks conducted by the Authority showed that the company involved had appointed its legal representative as DPO, without considering the incompatibility between the two positions and without even communicating the designation to the Authority.
The investigations have uncovered other serious violations of the GDPR. The company managed a database containing the data of over 70,000 people, collected over time by various companies headed by its legal representative. These companies, which had succeeded each other over the years in the provision of the same services, had accumulated information without adequate traceability of the data sources.
One of the critical issues that emerged concerned the absence of technical tools capable of identifying which company, among those attributable to the legal representative, had collected certain personal data. In addition, the information was stored indiscriminately, without providing the data subjects with clear information on the corporate transitions that had involved their data.
Other breaches involved data management over time. The company had never defined certain retention periods and, even after the termination of the contractual relationship, continued to hold information that was no longer necessary. In addition, some processing was delegated to external parties – both natural and legal persons – without entering into contractual agreements governing such operations, in violation of the provisions of the GDPR.
In the face of these irregularities, the Authority has required the company to take corrective measures to ensure compliant management of personal data. Despite the absence of specific precedents, the Authority decided to sanction the company with a fine of 70,000 euros, taking into account the seriousness of the violations, their duration and the lack of cooperation shown during the investigation.
By a provision of 28 February 2025, the Authority imposed a fine on a company active in the credit rehabilitation sector, following a report from the Bank of Italy. The story has highlighted how, despite the clear provisions of the European Regulation, there are still realities that do not understand the incompatibility between the role of DPO and that of legal representative.
According to Article 38 of the GDPR, the Data Protection Officer must be a person designated by the data controller or processor with the task of providing support, advice and training, as well as monitoring the application of privacy regulations. The DPO must be able to operate independently, without conflicts of interest and without receiving instructions on how to carry out his or her task, reporting directly to the company's top management.
However, the checks conducted by the Authority showed that the company involved had appointed its legal representative as DPO, without considering the incompatibility between the two positions and without even communicating the designation to the Authority.
The investigations have uncovered other serious violations of the GDPR. The company managed a database containing the data of over 70,000 people, collected over time by various companies headed by its legal representative. These companies, which had succeeded each other over the years in the provision of the same services, had accumulated information without adequate traceability of the data sources.
One of the critical issues that emerged concerned the absence of technical tools capable of identifying which company, among those attributable to the legal representative, had collected certain personal data. In addition, the information was stored indiscriminately, without providing the data subjects with clear information on the corporate transitions that had involved their data.
Other breaches involved data management over time. The company had never defined certain retention periods and, even after the termination of the contractual relationship, continued to hold information that was no longer necessary. In addition, some processing was delegated to external parties – both natural and legal persons – without entering into contractual agreements governing such operations, in violation of the provisions of the GDPR.
In the face of these irregularities, the Authority has required the company to take corrective measures to ensure compliant management of personal data. Despite the absence of specific precedents, the Authority decided to sanction the company with a fine of 70,000 euros, taking into account the seriousness of the violations, their duration and the lack of cooperation shown during the investigation.
