In the event a legal person carries out DPO services and tasks, such services shall effectively be delivered by an employee that is part of legal person’s organisation.
Decision No. 1468 of third section of Italian Administrative Court (Tar) deals with DPO designation and its legitimacy under the GDPR. In particular, a professional link between DPO service assignee and individuals who carry out the activity is needed.
Italian court decision has been based on Italian Guidelines on Data Protection Officers. In particular, previous guidelines explores the possibility of DPO services that are assigned to a legal person. In such case, it appears relevant the professional connection between the assignee and the individual who carries out the DPO activity. In fact, Italian Guidelines state that each subject included within assignee organisation shall fulfil the requirements of art. 4. of GDPR. Then, it is implicitly required that the physical person shall be part of assignee organisation.
In the present case, the assignee was unable to prove that the appointee was part of its organisation. On the contrary, the only – weak – professional connection was based on a proposal of appointment which has not been registered nor attached to any documentation.
Under these circumstances, DPO appointee shall always be part of assignee organisation with purpose of providing transparency and quality of DPO services.