In a decision dated December 2024, the Italian Data Protection Authority (Garante) imposed a fine of 70,000 euros on a credit rehabilitation company for multiple violations of the General Data Protection Regulation (GDPR).

While the monetary penalty addressed several issues—such as unlawful data retention and the absence of processor contracts—the most significant takeaway is the Garante’s firm stance on the structural independence required for the role of the Data Protection Officer (DPO).

This decision is particularly relevant for organisations that have appointed internal personnel—such as managers, executives, or legal representatives—as DPOs, without adequately assessing the incompatibility of roles. Crucially, the Garante clarified that simply designating someone as DPO is not enough: the role must be functionally and structurally independent and assigning it to someone involved in key business decisions—such as a legal representative or senior manager—is not just discouraged under the GDPR; according to the Garante, it renders the appointment invalid.

Article 38 GDPR and the Garante’s Interpretation

Article 38 para. 3 GDPR sets out that the DPO must act independently, must not receive instructions regarding the performance of their duties, and must report directly to the highest level of management. The role is supervisory—not operational—and must be free from influence.

The Garante reinforced this legal requirement, explicitly stating that the DPO:

„…must support and monitor the controller, providing advice, training, and guidance on the application of data protection law, in full independence and autonomy, free from conflicts of interest and without receiving instructions regarding the performance of their duties, which must be reported directly to top management.”

The company’s decision to appoint its legal representative as DPO was found to be structurally incompatible with these requirements. As the Garante observed, a person who participates in business decision-making cannot simultaneously oversee compliance with data protection law and internal privacy policies.

This interpretation aligns with Recital 97 GDPR, which the Garante explicitly cited:

„Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.“

Crucially, the Garante did not simply criticise the company’s choice—it declared the DPO appointment null and void. The Authority stated:

„The incompatibility arising from roles involving decision-making powers over personal data processing should have led to the invalidation of the designation, which—although formally made—is in any case null.“

This confirms that non-compliant DPO appointments are not only problematic—they are legally ineffective.

In addition to the flawed DPO appointment, the Garante identified other GDPR breaches that contributed to the fine, including excessive data retention, lack of transparency and no data processing agreements.

These deficiencies reflected a broader weakness in the company’s data protection governance—and highlighted the absence of a DPO with the independence and authority required to detect and address such risks.

The advantage of an external DPO

This decision sends a clear and practical message: outsourcing the DPO role is often the most legally sound, operationally effective, and regulator-aligned solution.

An external DPO offers structural independence from internal hierarchies and business conflicts and objective oversight of data protection risks and internal practices.

For many organisations, outsourcing the DPO role is not just a workaround, but a strategic move that reinforces trust, transparency, and accountability.

Appointing an external, qualified, and independent DPO ensures not only regulatory compliance but also long-term credibility and risk mitigation—essential pillars of a modern, defensible data protection programme.

| | , | , , , , , , , | 1 Kommentar