ITALIAN DATA PROTECTION AUTORITY ON CORPORATE SUPERVISORY BODIES
For the italian data protection autority, the supervisory bodies appointed pursuant to legislative decree 231/2001 must be qualified as authorised persons for processing actvities of data. But not always (perhaps).
At the request of the Association of the Members of the Supervisory Bodies pursuant to Legislative Decree 231/2001 (AODV 231), on 12 May last, the Italian Data Protection Authority (“DPA”) expressed its opinion on the subjective qualification that the Supervisory Bodies ("SB" or "Bodies") appointed by Entities in the context of the so-called 231 compliance should be given in light of data protection laws and regulations.
In particular, the Italian DPA has stated that the members of the Supervisory Body (which, as is well known, may be a monocratic or collegiate body) can only play the role of persons authorised to process personal data - i.e. those natural persons expressly designated by the data controller who act under the direct authority and within the organisational structure of the data controller, which defines under its own responsibility the specific tasks and functions related to the processing of personal data (art. 4 no. 10 of EU Regulation 2016/679 - "GDPR" - and art. 2-quaterdecies of Legislative Decree no. 196/2003 as amended by Legislative Decree no. 101/2018).
In short, according to the Italian DPA’s opinion, although the Supervisory Body must exercise its tasks independently from the supervised entity and has ex lege "autonomous powers of initiative and control", it cannot be considered distinct from the company, but "part" of it, to the extent that the exercise of such tasks "takes place within the organization of the Entity, data controller, which, through the preparation of organisation and management models, defines the scope and methods of exercising these tasks", as well as aspects relating to operation including the allocation of resources, means and security measures (art. 6, paragraphs 1 and 2 of Legislative Decree no. 231/2001).
In the opinion of the Italian DPA, this classification is all the more evident from the fact that any omitted controls on compliance with the organisation and management models (“OMC”) implemented by the Entity do not fall within the scope of the Supervisory Body, but rather within that of the Entity itself, which cannot, in such a case, avail itself of the provisions of Article 6(1) of Legislative Decree no. 231/2001 (as regards the Supervisory Body, it would be only contractual liable towards the Entity for failure to comply with the obligations assumed with the assignment).
Therefore, on the one hand, the SB would not qualify as an autonomous data controller, since it does not independently establish the purposes and methods of processing personal data of which it becomes aware. On the other hand, it could not even be qualified as a data controller, since - while complying with the instructions given by thirds - it is not a "person legally distinct from the Data Controller, but acting on behalf of the latter" (art. 28 of the GDPR) nor is it required to adopt suitable technical and organizational measures appropriate to the risk in the context of the processing activities it carries out (art. 32 of the GDPR), which without any doubt rest on the Entity that appoints the Body and defines its mandate and operation.
There is, however, one fundamental aspect that must be underlined: the position taken by the Italian DPA is explicitly limited only to the functions carried out by the Supervisory Body within the so-called "information flows" that exist with the Entity, i.e. with reference to the mutual information obligations to which the Supervisory Body and the corporate functions/management bodies are bound with respect to critical issues concerning the organisation of the Entity and the functioning and updating of the OMC.
Therefore, while in some ways the intervention of the Italian DPA in the definition of a long-debated privacy role of the SB time can be appreciated, it cannot be ignored that a major gap has been left with regard to the other functions typically attributed by the Entity to the Supervisory Bodies (and often interconnected with each other), i.e.:
(i) the powers of auditing and inspection of company processes, which the Supervisory Body provides in total autonomy of organisation and expenditure - not having to consult the company functions beforehand, being able to appoint also external advisors and using its own budget made available to the Entity, and
(ii) the management of reports received by the Supervisory Body regarding significant unlawful conduct or violations of the OMC, as part of the so-called whistleblowing procedure adopted by the Entity, as provided for by Article 6, paragraphs 2-bis, 2-ter and 2-quater of Legislative Decree no. 231/2001 (added by Law no. 179/2017).
Now, it seems that the Italian DPA deliberately does not address these aspects, which - as is well known - are central to the activities of the Supervisory Body and therefore fundamental in view of the correct classification of its role for privacy purposes.
It might be thought that also in these cases, the same reasoning carried out by the Italian DPA with regard to the information flows is applicable, i.e. that "the Supervisory Body, although endowed with autonomous powers of initiative and control, cannot be considered autonomous data controller (Art. 4, No. 7 of the Regulation [GDPR]), considering that the duties of initiative and control proper to the Supervisory Body are not determined by the Body itself, but by the law which indicates the duties and by the executive body which, in the model of organization and management, defines the aspects relative to the functioning". However, it is the Italian DPA itself which underlines how it remains "excluding the new and different role that the Body could acquire in relation to the reports made within the whistleblowing regulations".
Therefore, it would seem that the Authority itself excludes an analogical application of its own reasoning. How, therefore, should the Supervisory Body be considered in these two hypotheses?
In my opinion, although the Supervisory Body conducts such two activities mentioned above within the same framework and by virtue of the same powers provided for with regard to information flows, however, the decision-making power of the Body itself in carrying out these activities is in fact much greater. Starting with the processing of personal data: with regard to audits, it is the SB that decides which documents to view in the surveys it conducts and how to process those data, which to report to the relevant corporate functions, which to ignore and which to process for example to carry out further surveys.
This a fortiori true for the management of whistleblowing reports, which is totally delegated to the SB, precisely with regard to personal data. Although, in fact, pursuant to Article 6, paragraph 2-bis of Legislative Decree 231/2001, it is the Entity that must provide for the whistleblowing procedure in its OMC and ensure the establishment of several information channels that guarantee the confidentiality of the whistle-blower, however, this means that where the primary recipient of reports is the SB, this is the first "subject" that acts as a filter between the report and the Entity. In other words, it is the SB that sees (and processes) the personal data of both the whistle-blower and the subject allegedly reported as acting illicitly (as well as personal data of the other persons involved), having to maintain the confidentiality of such data on its own and deciding independently and discretionally whether and what to report to the Body. This means that it is the SB itself that must guarantee the confidentiality, secrecy and protection of such personal data, having to treat them carefully, guard them carefully and decide whether and how much to keep them and whether to communicate them (transfer them?) or not to the Entity. In fact, although the whistleblowing procedure is defined by the Entity, one of the major concerns of the whistleblowing regulations is precisely that of protecting the whistle-blower (and whom is unfairly reported) by the Entity itself.
In the light of the above, then, can it be really said that all this autonomy exercised by the SB in the processing of personal data within the two described activities of auditing and management of reports is compatible with the qualification of a mere subject authorized for processing and does not leave room for a classification more akin to that of data controller?
What responsibility does the SB have in case of incorrect management of personal data processed by virtue of reports received and consequent internal investigations (e.g.: dissemination of the same within the Entity)?
How much value should be given in the definition of privacy roles to the fact that upstream the powers of action are attributed to it by the Entity, that the SB moves within a budget and procedures defined by the Entity (including the predisposition by the latter of special channels, also IT ones)?
Doesn't classification as a subject authorised for processing risk excessively relieving the SB of its responsibility, ignoring the autonomy that distinguishes it?
As I deal with both compliance 231 and data protection concerns, I am well aware of the defining difficulty of these border-line positions, and I also understand the need not to place excessive responsibility on subjects who - although involved in the processing of personal data - often do not have the concrete power and the concrete possibility (including economic) to take all decisions regarding the mode of processing carried out, starting from the security means.
However, the doubts remain - and are further exacerbated in light of the recent European news on whistleblowing, which, with the adoption of the EU Directive 2019/1937, concerning " on the protection of persons who report breaches of Union law" (to be transposed by 2021), has further accentuated the role of the subjects who receive the reports, starting from the protection from the Entity of personal data of the whistle-blowers.
Who knows that on a practical level, this Directive will not lead to an overall evolution of the role of the subject who first receives the reports in the sense of an even greater independence, not only functional and ethical, but in an organic sense? In this perspective, it would mean having to attribute this task to subjects completely third parties with respect to the Entities and, therefore, endowed with their own autonomy and legal separation therefore reflected on the organizational capability.
In this case, also the SB, inasmuch as it is commonly charged with the management of whistleblowing, would certainly change its connotations, to the advantage (in my opinion) of a real autonomy and independence from the controlled Entity, which would probably guarantee a greater impartiality and efficiency in the performance of the Body’s control tasks on the activity of the Entity.