The Data Protection Officer (DPO) is a professional figure whose duties mainly consist of monitoring compliance with the GDPR regulation. That’s why we decided to equip ourselves with it.

What is a DPO and why we chose to have one

The Data Protection Officer (DPO) is a professional figure introduced by the GDPR (General Data Protection Regulation), the new regulation to protect privacy. This is an expert whose duties consist mainly in supervising compliance with the regulation, assessing the impact on data protection, checking that the timely notification of any data breach in the database and the drafting of the related tracking documentation are carried out as required by law.

The DPO is appointed by the data owner or by the data processor; it can be internal or external to the company, but still autonomous and independent of the data owner.
He is an optional figure. It becomes mandatory by law only in three cases:

  • if the data processing is carried out by public authorities
  • if the treatment requires regular and systematic monitoring on a large scale
  • if the processing concerns, always on a large scale, special categories of sensitive data or relating to criminal convictions and offences.

None of the three cases listed above apply to Max Application: the volume of treatment performed with the pharmacovigilance software Safetydrugs (of which we are developers) does not exceed the minimum thresholds with which the regulators define the large scale. Those treated by our software represent 6% of cases in the European Economic Area.

In order to increase data security and guarantee greater protection, we have nevertheless chosen to appoint an external DPO. We entrusted the Milanese company New Consulting – Praolini Srl in the person of Praolini Carlo.

The appointed DPO will be responsible for:

  • the review of the treatment register, in particular those foreseen in the pharmacovigilance services, provided through our safety database SafetyDrugs
    the review of disclosures and appointments
  • quarterly control reports
  • the half-yearly reports on the activity carried out and on compliance with the GDPR and the related audits
  • training on the regulation aimed at Privacy delegates, system administrators and authorized persons
  • the management of customer requests in terms of privacy.

The measures adopted are in addition to those prior to the entry into force of the GDPR:

  • general improvement of access control and data protection
  • more effective prevention of breach or theft
  • higher transparency towards data holders

With the appointment of a Data Protection Officer we are sure to provide a higher quality of service.

Fulvio Toscano
Quality Manager