Master of Personal Data Protection & Personal Data Designer. The Data protection subjects.
Lesson at the Master "Data Protection & Data Designer Maestro" organized by the Italian Privacy Institute - 7 November 2025.
Within the Master programme organised by the Academy of the Italian Institute for Privacy, Attorney Alessandro Del Ninno delivered a lecture entitled “Data protection subjects”, providing a systematic and practice-oriented analysis of the key roles introduced and regulated by Regulation (EU) 2016/679.
The lecture offered an in-depth examination of the different legal qualifications provided for under the GDPR, focusing in particular on the roles of the data controller, the data processor and the other parties involved, in various capacities, in personal data processing activities. The session clarified the legal criteria for the correct identification of privacy roles, emphasising that such qualification can never be merely formal, but must be based on a careful assessment of the purposes and essential means of the processing actually carried out.
Special attention was devoted to the principle of accountability and to the responsibilities arising therefrom for the various actors involved, with a specific focus on the most common errors encountered in practice, such as the improper overlap of roles, the inconsistent appointment of data processors and the inappropriate use of standard contractual templates. In this context, Attorney Del Ninno highlighted the importance of a substantive, evidence-based approach capable of withstanding supervisory authority audits and litigation.
The lecture also explored the role of the Data Protection Officer, analysing its functions, requirements and organisational positioning, as well as the delicate balance between independence, advisory support and integration within the controller’s decision-making processes. Reference was also made to the relationships between data protection subjects and technology providers, with particular regard to outsourced processing activities and the impact of new technologies on traditional models for allocating responsibilities.
The session was characterised by a strongly practical approach, enriched with applied examples and real-life cases drawn from professional experience, and provided participants with interpretative tools to navigate the complexity of the data protection framework and to structure effective personal data governance within both public and private organisations.
Link: web site of the IIP Academy