Italian court decision on DPO requirements and new Belgian privacy law

A recent italian administrative court decision clarifies the requirements of the DPO and Belgium introduces a new data protection act implementing the GDPR. 

DPO: Italian court states the role is eminently of a jurist

On 13 September 2018, the Italian administrative court of the Friuli Venezia Giulia Regiuon issued a landmark decisionon the requirements that a DPO should meet.

Called to decide upon an appeal against the DPO selection procedure of a public authorty, the judges found that the local health authority improperly included the ISO/IEC 27001 Lead Auditor certification as necessary requirement for the role.

The Court, in its decision, expressly recognises that:

the meticulous knowledge and application of the sector regulations remain, regardless of the possession of the certification in question, the essential and irreducible core of the professional figure (DPO), whose profile, for the aforementioned considerations, can only qualify as eminently juridical.”

This decision is particularly relevant since it clarifies the minimum scope of DPO’s educational background. in order to meet the GDPR requisites a DPO should possess

  • expertise in national and European data protection laws and practices and
  • an in-depth understanding of the GDPR. Further certification may be considered as a plus, but not as a requirement.

It should be emphasized that Italian law does not provide for the rule of precedents. And indeed, this position is not consistent with what provided by the Italian data protection authority in relation to the DPO’s requirements.

Privacy: Belgium enacts new data protection law

Slightly after Italy and the Isle of Man, even Belgium has finally made available its new Belgian Data Protection Act implementing the GDPR.

The new law repeals the Privacy Act of 1992 and implements the European Directive 2016/680, which relates to personal data processing by authorities in police and criminal matters, thus having a wider scope than the GDPR.

Here is an overview of the key changes introduced:

  1. the minimum age of consent for information society services has been lowered to 13 years;
  2. additional measures have been introduced or processing genetic, biometric, and health­related data, including the requirement to list individuals that have access to such data;
  3. data subject rights have been limited in case of processing by various public authorities (e.g. such as law enforcement and custom authorities) which are also exempted from fines imposed by the DPA; and
  4. a collective redress action for GDPR infringements is introduced, which is also open to damages suffered by SMEs.

Despite the GDPR direct applicability to all EU Member States, the different ways in which it has been implemented has created jurisdiction-specific differences which make it difficult for companies to develop a common EU compliance strategy and specific guidance shall be sought from local advisors.

If you would like to receive more information please contact  Tommaso Ricci, @