Sulla figura del "responsabile interno" del trattamento di dati personali

The purpose of this essay is to analyse the debated issue if a person who process personal data within the organization of the data controller can be designated or not as “internal” data processor, pursuant to the new European General Data Protection Regulation (GDPR) [Reg. (UE) 679/2016]. When Italy brought into force its national data protection law to comply with the Directive 95/46/EC (on the protection of individuals with regard to the processing of personal data and on the free movement of such data), in 1976 (by means of the Italian Data Protection Act, Law No. 675/1996) and in 2003 (by means of the Italian Data Protection Code, Legislative Decree No. 196/2003), there was no doubt about the compatibility of the role of “internal” processor with the legal system. This subjective role has been confirmed in several statements of the Italian Supervisor Authority (Garante per la protezione dei dati personali). Since the GDPR has come into force in all the EU Member States, many scholars and experts are of the opinion that it is no more admissible the designation as “internal” data processors: the Art. 28 GDPR should be applied only to the “external” data processors. This interpretation, which presents a position in discontinuity with the previous one, is strongly criticized in this essay, where the author argues both for the compatibility of the role of the “internal” processor with the GDPR and for the necessity to rethink the application of the GDPR’s rules which seem to be in contrast to that role.