Since the General Data Protection Regulation entered into force, the whole privacy scenario has continued changing. In fact, GDPR new provisions still need to be fully implemented within majority of undertakings. One of the most important provision is related to the Data Privacy Governance and it sees the appointment of Data Protection Officer (“DPO”). 

As confirmed by recital 97 of GDPR, the Data Protection Officer is an expert of data processing with specialised knowledge of European Privacy Normative. Furthermore, data controller and data processor, in some specific context, shall find assistance of a Data Protection Officer.

Art. 37 of GDPR clearly stated that appointing DPO is mandatory: 

1. In the event that data processing is carried out by a Public Authority or Public Body;
2. In the event that core activities carried out by data controllers and data processors – by virtue of their nature, scope or purposes – require a regular and systematic monitoring of data subjects on a large scale;
3. In the event that core activities carried out by data controllers and data processors consist of processing special categories of data pursuant article 9 GDPR. 

DPO appointment constitutes an important task that falls under the scope of the new accountability principle. The accountability principle requires the adoption of proactive policies and mechanisms that may demonstrate the correct application of GDPR. 

Within the Italian landscape, many insurance bodies and organisations misinterpreted Data Protection Authority guidelines in relation to DPO appointment. Italian Data Protection Authority has confirmed that DPO appointment is mandatory in all cases where core business activities consist of data processing activities that monitor, systemically and on a large scale, personal data or sensitive data according to Art.9 GDPR. Under this circumstance, subjects like insurance and finance societies, auditing companies, political parties, trade unions et cetera. 

In particular, in the context of insurance organisations, insurance intermediaries did not respect GDPR obligation in relation to DPO appointment. Then, it seems important to show what insurance intermediaries are subject to the obligation of appointing a Data Protection Officer.

Taking into consideration the Italian Register of Intermediaries (“Registro unico degli intermediari”), it is possible to conclude that not all insurance intermediaries have to appoint a DPO. For instance, subjects involved in setting insurance or commercial deals, which are listed under the “C” section within the previous document, are not demanded to appoint a DPO. In the same manner, sub insurance agents, grouped within “E” section have not the obligation of appointing a DPO. In fact, both of the previous subjects do not carry out data processing activities on a large scale or targeting sensitive data.

Conversely, insurance agent or brokers – grouped within Registro Unico Degli Intermediari sections “A” and “B” – are likely to be subject to DPO appointment obligation due to regular and on a large-scale data processing that is required for their tasks. Moreover, brokers and agents activity are likely to involve the processing of sensitive data such as health or biologic data.

In conclusion, accountability principle is in effect also for Italian Insurance Intermediaries. Then, in order to safeguard accountability principle, insurance intermediaries have to appoint a DPO which might assist and supervise data processing activities undertaken by the subject.