The position of Data Protection Officer (DPO) was introduced by the new European regulation on personal data protection (Art. 37 of the GDPR). The DPO is appointed by the data controller or data processor and his/her appointment must be disclosed to the National Supervisory Authority.

It is mandatory to appoint a DPO when:

  • The processing is carried out by a public authority or a public body (except courts when exercising their judicial functions);
  • The main activities of the Data Controller and Data Processor are processing operations which, by their nature, scope, and/or purpose, require the regular and systematic monitoring of the data subjects on a large scale;
  • Their main activities of these parties are large-scale processing of special categories of personal data.

The DPO establishes the company's privacy policy (to be ratified by management), drafting instructions to which employees can refer for an unambiguous interpretation of the application of the law.

The DPO may be in-house or external; in the latter case, the DPO may be a company or a consultant specialising in personal data protection issues

Faro is the right partner and offers its expertise in personal data protection legislation and practice.

Go To top