The Data Protection Authority, on 15 December 2017, published on its official website a series of clarifications regarding the appointment and duties of the Data Protection Officer (“DPO”). More specifically, the Data Protection Officer must have specific skills, preferably, whenever appointed internally, be a Manager or a high ranking professional to be appointed with a specific deed. The Data Protection Authority, in addition, clarifies that this task cannot be carried out neither by the corporate IT System’s Manager nor any other professional figure with conflict of interest. In addition, the Data Protection Authority points out that even though there are no diplomas or degrees suitable to train the Data Protection Officer, even if he/she must have specific legal knowledge, now there are a variety of courses that offer specific training on the matter and the Data Protection Authority recommends attending them. In fact, it is reminded that the appointment of a non-competent person or a person not suitable to carry out the role of Data Protection Officer could lead to fines for the Data Controller, among which the payment of administrative fines. Finally, it is specified that the role could be held also by a legal entity, as long as there is an individual within the company that acts as a reference.