VGS corporate lawyers
London

+44 2039665531

Milan

+39 0250043613

  • Home
  • Who we are
  • Practice Areas
    • Company law
      • Setting up a company in Italy
      • Corporate governance
      • Bankruptcy
    • Debt Recovery & Credit Collection
    • Arbitration and Mediation
    • Contracts
      • Acquisition Finance
    • White collar crimes
    • Data protection and GDPR
  • People
    • Avv. Valentina Giarrusso
    • Avv. Flavia Di Pilla
    • Avv. Silvia Pellegrini
    • Avv. Giuseppe Ganci
    • Avv. Valentina Improta
    • Dr. Fabrizio Di Patti
    • Avv. Salvatore Fasciana
    • Dr. Yasine Ajlane
  • News & Blog

Italian Insurance Intermediaries and Data Protection Officer appointment

  • by VGS' Editorial Board
  • 30 April 2019
  • Comments (0)

Since the General Data Protection Regulation entered into force, the whole privacy scenario has continued changing. In fact, GDPR new provisions still need to be fully implemented within majority of undertakings. One of the most important provision is related to the Data Privacy Governance and it sees the appointment of Data Protection Officer (“DPO”). 

As confirmed by recital 97 of GDPR, the Data Protection Officer is an expert of data processing with specialised knowledge of European Privacy Normative. Furthermore, data controller and data processor, in some specific context, shall find assistance of a Data Protection Officer.

Art. 37 of GDPR clearly stated that appointing DPO is mandatory: 

  1. In the event that data processing is carried out by a Public Authority or Public Body;
  2. In the event that core activities carried out by data controllers and data processors – by virtue of their nature, scope or purposes – require a regular and systematic monitoring of data subjects on a large scale;
  3. In the event that core activities carried out by data controllers and data processors consist of processing special categories of data pursuant article 9 GDPR. 

DPO appointment constitutes an important task that falls under the scope of the new accountability principle. The accountability principle requires the adoption of proactive policies and mechanisms that may demonstrate the correct application of GDPR. 

Within the Italian landscape, many insurance bodies and organisations misinterpreted Data Protection Authority guidelines in relation to DPO appointment. Italian Data Protection Authority has confirmed that DPO appointment is mandatory in all cases where core business activities consist of data processing activities that monitor, systemically and on a large scale, personal data or sensitive data according to Art.9 GDPR. Under this circumstance, subjects like insurance and finance societies, auditing companies, political parties, trade unions et cetera. 

In particular, in the context of insurance organisations, insurance intermediaries did not respect GDPR obligation in relation to DPO appointment. Then, it seems important to show what insurance intermediaries are subject to the obligation of appointing a Data Protection Officer.

Taking into consideration the Italian Register of Intermediaries (“Registro unico degli intermediari”), it is possible to conclude that not all insurance intermediaries have to appoint a DPO. For instance, subjects involved in setting insurance or commercial deals, which are listed under the “C” section within the previous document, are not demanded to appoint a DPO. In the same manner, sub insurance agents, grouped within “E” section have not the obligation of appointing a DPO. In fact, both of the previous subjects do not carry out data processing activities on a large scale or targeting sensitive data.

Conversely, insurance agent or brokers – grouped within Registro Unico Degli Intermediari sections “A” and “B” – are likely to be subject to DPO appointment obligation due to regular and on a large-scale data processing that is required for their tasks. Moreover, brokers and agents activity are likely to involve the processing of sensitive data such as health or biologic data.

In conclusion, accountability principle is in effect also for Italian Insurance Intermediaries. Then, in order to safeguard accountability principle, insurance intermediaries have to appoint a DPO which might assist and supervise data processing activities undertaken by the subject. 

  • Data Protection
  • GDPR
  • Share:
Previous Article: Italian VAT Identification Number
Next Article Enforcement proceedings by distraint

Practice Areas

  • Company law
  • Debt Recovery & Credit Collection
  • Arbitration and Mediation
  • Contracts
  • White collar crimes
  • Data protection and GDPR

Free Consultation

    Tags

    Airbnb Arbitration Artificial Intelligence Auditing Brexit Company Law Company Shares Consent Contracts Cookies Copyright Coronavirus Data DataProcessing Data Protection DPO European Union Eviction Free Title GDPR HealtData HouseHold Agreements Islamic Law Italian Bankruptcy Law Italian Company Law Italian Corporate Law Italian Criminal Law Italian Debt Recovery Italian Entry Visa Italian Intellectual Property Law Italian Legal Advice Italian Privacy Italian Tax Legal guide MedialTreatment Mediation Partnership Patient Personal Data Privacy Processing Research Startup Warranty White Collar Crimes

    Social Links

    • Facebook
    • Instagram
    • LinkedIn

    See also:

    VGS Lawyers

    VGS - Family Lawyers

    © Copyright 2021 | VGS Corporate Lawyers | All right reserved.

    We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkPrivacy policy