Delaying the appointment of a DPO and his notification to the Italian DPA (in addition to other GDPR breaches) can lead to a €75,000 fine
Written By
Below, we briefly set out the approach of the Italian Data Protection Authority ("Garante") in enforcing the requirement for public authorities to have a DPO and to communicate the appointment of such a DPO to the Data Protection Authority in a timely way.
Background
The decision of the Garante dated 11 February 2021 (available here in Italian) originated from an investigation against the Italian Ministry of Economic Development ("MISE") regarding the publication of personal data on the MISE website. The MISE had made available information about a large number of experts in innovation, to allow SMEs to benefit of certain contributions for their digital innovation.
The Garante initially found this publication unlawful, as the MISE did not have a proper legal for publishing the full details of the experts rather than the limited and strictly necessary details. In the course of investigating this, the Garante also ascertained that MISE had appointed its DPO belatedly and communicated the appointment and the DPO’s contact details to the Garante with a considerable delay.
In particular, the appointment of the DPO occurred only at the end of October 2019 (rather than in May 2018 when the GDPR came into force) and was then communicated to the Garante after a certain delay as well.
MISE’s defence in relation to its failure to comply with the DPO requirements
After receiving the notification of the violations by the Garante, MISE sent back its defence, confirming that the delay in fulfilling the DPO appointment requirement as set out in the GDPR occurred due to the Ministry’s long privacy reorganisation project, which started in July 2018 and ended in September 2019. According to the arguments submitted by the MISE describing the circumstances that led to this delay, the time necessary for it to comply with the DPO appointment requirements was significantly expanded "due to the change of political bodies, with the establishment of a new government [...] and the start of the reorganisation procedure - following the appointment of the new Minister - of the executive offices of general level, in reform of the previous structure". Once the full reorganization procedure was completed, the MISE finally appointed the DPO.
The Garante’s position
Although the Garante recognized the relevance of the MISE’s arguments in proving its reasoning in approaching the GDPR’s requirements more widely, it regarded them as insufficient to invalidate the Garante’s objections. This is especially so given that, as early as May 2017, the Garante had implemented a comprehensive information campaign addressed to all public entities concerning the requirements to be fulfilled under the GDPR. In that occasion and in others later on, the Garante expressly flagged to public authorities the priorities they would have to consider in the process of adapting to the new legal framework. The priority was the appointment of the DPO, as the authority highlighted that “this new role, that is required by the Regulation to be identified on the basis of the professional skills and expertise of the DPO in data protection law and its practice, is at the core of the implementation process of the principle of “accountability” and that “the direct involvement of the DPO in all matters relating to the protection of personal data, starting from the transitional phase, is certainly a guarantee of the quality of the result of the ongoing adaptation process”.
As a result, failing to appoint a DPO despite the Garante’s repeated focus on such a role, and the delay in starting the internal privacy reorganization process, was not excusable. Moreover, MISE also delayed the communication of the appointment to the DPO for a certain while: unfortunately the decision omitted any details on the timing of such delay so that it is difficult to assess what the Garante considers to be a reasonable timeframe.
The application of the administrative fine
The violation of the provisions contained in art. 37(1) and (7) of the GDPR lasted for about a year and a half. In this respect, although taking note of the circumstances linked to the contingencies of the change of political leadership and the related administrative reorganisation, the Italian DPA considered that MISE’s conduct was not justifiable. The Garante considered this violation relevant for the purpose of Art. 83 of the Regulation, particularly in light of the information activity carried out by the Garante towards the public administrations.
However, in line with the principle contained in Art. 83(3) which provides that "[i]f a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement" the Garante issued a single comprehensive fine of € 75,000, pursuant to Art. 83(2) and 83(3) of the Regulation for all the violations ascertained by the Garante, including the violations of Art. 5 and Art. 6 of the GDPR and Art. 2-ter of the Italian Data Protection Code.
The lesson we can learn from this decision is that it is not just failure to comply with the GDPR which makes organisations at risk of enforcement. Delays in complying with key GDPR requirements such as the appointment of a DPO are also likely to be enforced against, regardless of the reason for the delay itself.
