The privacy officer is a corporate role with legal and IT competences whose primary responsibility is to observe, evaluate and organize the management of the processing of personal data (and therefore their protection) within company, so that they are treated lawfully and appropriately, in accordance with the in force law.
When the person that holds this role with autonomy and decision-making power is conferred in the performance of their duties, he is called chief privacy officer (CPO), a figure that in Europe also took on the name of data protection officer (DPO), or responsible data protection as rendered in the Italian translation of the proposed European Regulation. Based on the statistical data, companies that will be required to designate the person responsible for data security (Privacy Officer) in Italy, when the European Regulation will be in force, will be more than 23,000.
Because of the tasks assigned to it, the privacy officer must have adequate knowledge of the law which regulates the management of personal data in the country in which it operates. Must therefore be able to offer its top management consulting necessary to design, test, and maintain an organized system for personal information management, ensuring the adoption of a set of security measures designed to protect data, meeting the requirements of the law and ensure security and confidentiality.
The Article n. 36 of the proposed EU Regulation on the protection of personal data, describes the position of privacy officer (responsible for data protection): the controller or the processor should ensure that the person responsible for data protection (privacy officer) is promptly and appropriately involved in all issues relating to personal data protection . The controller or the processor should ensure that the person responsible for data protection fulfills the functions and duties in complete independence and does not receive any instruction regarding its activities. The Data Protection Officer reports directly to the hierarchy of the controller or of the processor. The controller or the processor supports the responsible data protection in carrying out its tasks and provides him personnel, premises, equipment and other resources necessary to fulfill the functions and duties provided for in Article 37 of the Regulation.
The Article 37 of the proposed EU Regulation on the protection of personal data, lists the duties of the privacy officer (responsible for data protection):
-to inform and advise the controller or the processor on the obligations arising from this Regulation and to maintain records of such activity and the responses received;
-to monitor the implementation and application of the policies of the controller or of the processor on the protection of personal data, including the allocation of responsibilities, the training of staff involved in processing and audits associated;
-to monitor the implementation and application of this Regulation, in particular with regard to the requirements relating to protection by design, the default protection, data security, information of the individual and demands of parties to exercise their rights under this Regulation;
-to ensure the preservation of the documents referred to in Article 28;
-to check that the personal data breaches are documented, reported and disclosed in accordance with Articles 31 and 32;
-to check that the controller or the processor carries out an impact assessment on data protection and requires prior authorization or prior consultation in the cases provided for in Articles 33 and 34;
-to check that it is acceded to the request of the supervisory authority and, within its competence, cooperating with the authority to control its own initiative or upon request;
-to act as a point of contact for the supervisory authority for questions relating to treatment and, where appropriate, consult the supervisory authority on its own initiative.