GDPR: why Max Application endowed itself with a DPO

The Data Protection Officer (DPO) is a professional figure introduced by the new GDPR (General Data Protection Regulation). He/She is an expert whose duties mainly consist in monitoring the compliance with the regulation, in assessing the impact on data protection, in checking that the timely notification of any data breaches in the database and the drafting of the related tracking documentation are performed as required by law.


The DPO is appointed by the data controller or by the data processor; it can be internal or external to the company but still autonomous and independent of the data controller.

It is an optional figure. It becomes mandatory by law only in three cases:
– if the processing of data is carried out by public authorities
– if treatment requires regular and systematic monitoring on a large scale
– if the treatment involves, always on a large scale, special categories of personal data or related to criminal convictions and crimes.


None of the three cases listed above is applicable to Max Application: the volume of data processed through our pharmacovigilance software, SafetyDrugs, of which we are developers and owners, does not exceed the minimum threshold by which the regulators define the large scale. Those processed by our software represent the 6% of the cases of the European Economic Area.

In order to increase data security and ensure greater protection, we have nevertheless chosen to appoint an external DPO. We relied on a company of Milan, New Consulting –Praolini Srl in the figure of Praolini Carlo.


The appointed DPO will be the responsible person for:
– the review of the treatment registers, in particular those provided for in the pharmacovigilance services, provided through our SafetyDrugs safety database
– the revision of information and appointments
– the quarterly control reports
– the half-yearly reports on the activity performed and on compliance with the GDPR and the related audits
– the training on the regulation addressed to Privacy delegates, system administrators and authorized people
– the management of customer requests regarding privacy.


The measures adopted are in addition to the previous ones implemented with the entry into force of the GDPR:
general improvement of accesses control and data protection
more effective prevention of data breach or theft
greater transparency towards data holders.


With the appointment of a Data Protection Officer we are sure to provide a higher quality of service.



Fulvio Toscano
Privacy and Security Manager of Max Application