Diritto al Digitale
Diritto al Digitale is the must-listen podcast on innovation law, brought to you by Giulio Coraggio, data and technology lawyer at the global law firm DLA Piper. Each episode explores the cutting-edge legal challenges shaping our digital world—from data privacy and artificial intelligence to the Internet of Things, outsourcing, e-commerce, and intellectual property.
Join us as we illuminate the legal frameworks behind today’s breakthroughs and provide insider insights on how innovation is transforming the future of business and society.
You can contact us at the details available on dlapiper.com
Diritto al Digitale
Is the DPO Responsible for a Cyber Attack?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of Legal Break, Giulio Coraggio, location head of the Italian Intellectual Property & Technology Law group at the law firm DLA Piper and the journalist Antonio Ravenna explain an important Italian court decision about DPO liability, GDPR, and cyber fraud.
A company lost €390,000 in a Business Email Compromise (BEC) attack: criminals sent fake payment instructions and the money went to the wrong bank account. The company tried to blame its external DPO, but the Court of Florence (Decision No. 3034 of 29 May 2026) said no.
Giulio and Antonio explain, in clear and simple words, why the DPO’s job under the GDPR is to advise and monitor, not to make security decisions, and why the duty to put real security measures in place stays with the company. They also share practical lessons: why good documentation is the DPO’s best defense, why ignoring the DPO’s advice can create liability for the company, and why naming a DPO is not a replacement for real cybersecurity.
📌 You can find our contacts 👉 www.dlapiper.com
Welcome everyone. I'm Giulio Coraggio, a technology and data lawyer at the global law firm Delay Piper.
SPEAKER_00And I'm Antonio Ravenna, a journalist.
SPEAKER_01We are here to discuss a very interesting case relating to the liability of data protection officer.
SPEAKER_00And we're gonna make it during the time of a coffee break. Hi Giulio. An Italian court just ruled on a case involving a DPO and cyber fraud worth nearly 400,000 euros. What happened?
SPEAKER_01Well, it's a really interesting case. It relates to a company in the utility sector. Basically, one of the employees of this company received an email that um seemed to be legitimate. It was coming from an email address that was from a customer of the company, basically requiring to change the IBAN number, the bank account details, to which a payment had to be performed. The officer in charge just executed the request, but unfortunately, the IBAN number was not of uh the customer or the supplier that was meant to receive the payment, but was um of uh the fraudsters, and therefore 390,000 euros were kind of uh diverted to a different bank account, and all of a sudden they disappeared. What is interesting here is uh that um following this accident, the victim of the fraud decided to bring a claim against um the firm of the DPO, just challenging that um this event had occurred because of a sort of a lack of service by the DPO.
SPEAKER_00So, at the heart of this ruling is a fundamental question. Actually, what does the GDPR say about what a DPO is supposed to do?
SPEAKER_01It's interesting because it seems to say, in the view of the claimant, that uh the DPO is in charge of ensuring privacy compliance of the company, is uh the kind of uh main actor of the privacy compliance of the company, while the scenario is quite different under the GDPR. It is true that in a few cases the DPO does more than what is required under the GDPR, but um the GDPR provides the role of the DPO as a sort of auditor of the data protection compliance of the company. So it doesn't take decisions, it gives um recommendations on what the company shall do in order to ensure compliance. In practice, it doesn't mean that the DPO is uh a representative of the data controller. The DPO actually, also in case of disputes, cannot represent the company, it's a third party, even when it's an employee of the company, because it's a mere advisor, it's a mere auditor, it needs to flag a potential lack of compliance. And this is exactly what happened in this case. The DPO had flagged a lack of uh security measures and um reported actually in two instances that uh the employees required a specific training on this kind of frauds, and uh and then the company decided not to do not to run this kind of um trainings for the very frequent reason for cost-related matters, and then it suffered the cyber attack.
SPEAKER_00And so, Julio, what are the practical takeaways for DPOs and companies?
SPEAKER_01From the perspective of the DPO, the golden rule is that you need to document everything you do because then otherwise you could be blamed for what um you weren't able to document, you were not able to prove, and therefore the accountability principle that is one of the backbones of the GDPR applies even to the conduct of the DPO. Not only towards regulators, towards the garante and the other data protection authorities, but also internally in order to protect the DPO uh in relation to potential claims against him. The golden rule for data controllers is that you cannot blame the DPO for your lack of compliance. The DPO is a mere auditor, it's a supervisor of the compliance, but then if the measures are not put on the ground by the company, the liability is still on the data controller, on the company that was supposed to do the activities which were not done. Then there is a gray area when the DPO doesn't flag some lack of compliance. But again, even in that case, there is a risk that the data protection authorities are gonna blame the uh data controller, the entity that was uh meant to comply, that then can allocate part of the liability on the DPO if there was in practice a lack of service on his eye.
SPEAKER_00So, document everything and don't confuse advice with responsibility.
SPEAKER_01Absolutely, Antonia.
SPEAKER_00Thank you very much, Giulio. Thank you everyone, arrived.