Share This Article
In a recent and thought-provoking decision, the Italian Data Protection Authority (Garante) sanctioned a securitization Special Purpose Vehicle (SPV) for failing to comply with several GDPR requirements โ most notably, for not appointing a Data Protection Officer (DPO).
At first glance, this may seem like a straightforward enforcement action. However, the decision reveals a deeper tension between the GDPR and the regulatory framework governing securitizations โ a framework that explicitly allows SPVs to operate without employees or an internal organizational structure.
โ๏ธ The Garanteโs Position: Formal Responsibility Prevails
Despite the clear legislative framework that defines the SPV as a legally passive entity operating entirely through outsourced services, the Garante held that the SPV โ as a data controller โ remains fully responsible for GDPR compliance and cannot prove compliance through its service providers. This includes obligations that are typically tied to entities with operational capacity, such as:
-
Appointing a Data Protection Officer,
-
Keeping a record of processing activities,
-
Implementing internal audit procedures on processors and sub-processors.
The Authorityโs position implies that even in the total absence of staff, an SPV must still establish these structures โ in effect, treating legal accountability as divorced from the operational realities permitted by financial regulation.
๐ When Legal Frameworks Collide
This raises a critical regulatory question: can GDPR obligations be applied in a vacuum, ignoring the specific legal regime that governs the entity in question?
Securitization laws are designed precisely to allow SPVs to function without employees. Operational activities are lawfully and deliberately outsourced to regulated third parties โ such as servicers and sub-servicers โ under a regime that ensures financial and operational transparency.
Yet, the Garanteโs interpretation appears to disregard this context, applying the GDPR as if the SPV were a traditional, staffed business. The result is a potential conflict between two compliant legal models: one under financial law, one under data protection law.
๐ค Proportionality at Risk?
The GDPR is built on principles of accountability and proportionality, requiring data controllers to implement measures appropriate to the risk and context of processing. But when an SPV with no internal resources must appoint a DPO โ whose only function would be to oversee third parties already governed by securitization law โ one wonders if this approach truly enhances protection for data subjects, or merely introduces duplicative and formalistic compliance burdens.
๐ The Takeaway for the Market
This decision is a wake-up call for the structured finance sector. Legal and compliance teams must now reassess the GDPR implications of securitization structures and consider DPO appointments, even for โemptyโ SPVs. In case of businesses that perform several securitizations through several SPVs, the obligation to appoint a DPO will become an additional cost to be borne.
On a similar topic, you can read the following article “A DPO cannot be also a Data Processor for the Italian Privacy Authority“.
