Clifford Chance

On the eve of the two years anniversary of the entry into force of the GDPR, the Italian data protection authority (IDPA) issued an opinion on the subjective qualification for privacy purposes of the supervisory body/board (organismo di vigilanza, "OdV") provided for under the Italian legislative decree no. 231/2001 (the Law 231).

Introduction

The opportunity came from a formal request submitted on 16 October 2019 by the association of supervisory board members under Law 231 (AODV231), whereby it sought clarifications on the privacy role (if any) to be assigned to the OdV.

The issue is not a new one, as discussions amongst practitioners on the privacy qualification of the OdVs have been also carried out under the former data protection regime. Basically, two views have been taken

• the OdV's requirements of autonomy and independence in the performance of its functions showed its closeness to data controllers' role.
• the inclusion of the OdV in the internal structure of the supervised companies recalled in some way the idea of a processing of data on behalf of someone else (like processors normally do).

However, as often happens, "when two dogs strive for a bone, the third runs away with it". In fact, the IDPA rejected the views summarised above, adopting its own position on the debate.   

The OdV: tasks and duties

Law 231 introduced for the first time in the Italian legal system the administrative (substantially criminal) liability of the corporation entities for specific criminal offences (the "Relevant Offence(s)") listed thereunder committed by its directors or employees at least in part – if not exclusively – in the interest, or for the benefit, of the corporate entity.

However, the corporate entity has a defence and generally cannot be held liable if it successfully proves that:

• management had adopted and effectively implemented systems and controls that were adequate to prevent the Relevant Offence(s) from being committed ("Model 231"); 
• a supervisory body/board (Organismo di Vigilanza) with independent powers of initiative and control had been set up to oversee the Model 231; 
• the individuals who committed the Relevant Offence(s) fraudulently avoided the Model 231; and 
• the OdV did not fail to perform its overseeing obligations.

The main functions of an OdV can be summarized as follow:

• monitoring the effectiveness of the Model 231, constantly verifying that directors/employees comply with it;
• ensuring the concrete suitability of the Model 231, meaning that it must make sure that the internal controls are adequate to prevent the commission of a crime;
• assessing whether the structure of the internal protocols is such as to guarantee their stability and functionality over time;
• taking care of the update of the Model 231.

To ensure the effectiveness of the OdV's supervisory activities, art. 6, para. 2, letter d), Law 231, requires that the Model 231 should provide “for disclosure obligations to the body in charge of supervising over the functioning of and compliance with the models”. This disclosure obligation should be fulfilled by implementing a system of information flows to and from the OdV (the "Information Flows") that can be periodic, by event or ad hoc.[1]

Through the Information Flows channel the OdV, may receive from the company information such as, inter alia, report of inspections from the Public Administration of from External Authorities, serious accident on the workplace, serious environmental issue, notices of investigation, seizures, searches or document requests from the Judicial Authority, disciplinary proceedings relevant for Law 231. This means that the company will grant access to (potentially) a huge number of data to the OdV.

The AODV231's position

When applying for the IDPA's opinion, the AODV231 took the position that the OdV (considered as a unique center of interests even if composed of some members) does not act as controller nor as processor while performing its controlling duties.

The OdV is not a controller as it does not determine the purposes and means of the processing

The AODV231 moved from the definition of "data controller" under the GDPR, which states that the controller is "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" (art. 4, para. 7, GDPR).

The OdV does not define the purposes and modalities of the processing of data, as:

• the purposes are set forth in the Law 231 and are decided by the board of directors of the company which appoint the OdV's members; and
• the OdV not always provides for the means of processing, that often belongs to the company itself.

The OdV is not a processor as it forms part of the company

Again, the definition of "data processor" under the GDPR, according to which a processor is the "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (art. 4, para. 8, GDPR), could be helpful to frame the AODV231's position.

Two main requirements qualify data processors: on the one hand, being a separate legal entity with respect to the controller; on the other hand, processing personal data on controller's behalf.

The AODV231 highlights that the OdV is not a "separate legal entity" with respect to the controller; conversely, it forms integral part of the company itself. Moreover, the OdV performs its duties with complete autonomy and independence as its activities cannot be reviewed by any other corporate body or structure; therefore, its performance cannot be classified as a performance on behalf of the company.

The IDPA's opinion

The IDPA confirmed the AODV231's position and stated that the OdV does not act as controller nor as processor when performing its duties.

However,  it provides some clarifications on the privacy role played by every single member of the OdV. The opinion highlights that each member of the OdV can be considered as a "third party" under art. 4, para. 10, GDPR,[2].

In fact, the performance of tasks and duties implies that the OdV's members access to the personal data processed by the company. This aspect did not go unnoticed in the IDPA's eyes.

That's why the opinion invites data controllers to act in accordance with the accountability principle under the GDPR which sounds very often as a voice in the head frantically shouting "it's up to you, controllers!". This principle wants data controllers to be able to justify their choices with reference to the processing of personal data.

Following such principle, the IDPA encourages controllers to appoint each member of the OdV as "person in charge of the processing" (persona autorizzata al trattamento) pursuant to art. 29 of the GDPR. Those persons will process personal data in accordance with the instructions issued by the controller.  

Tips for practitioners

Following the analysis of the IDPA's opinion, it would seem wise for controllers to structure the appointment letter of the person in charge of the processing in the clearest way possible, ensuring that the instructions:

(i)        do not affect OdV's independence when performing its duties;

(ii)       indicate, to the extend possible, the data flow to which OdV has access; and

(iii)      state the security measures OdV has to follow in the processing of data.

With specific reference to point (ii) above, in order to cover all the possible Information Flows made available to the OdV, it could be helpful to include in the appointment letter a final clause allowing the OdV access to the information –  available to the company – that are necessary to perform its supervisory duties.