In a recent and thought-provoking decision, the Italian Data Protection Authority (Garante) sanctioned a securitization Special Purpose Vehicle (SPV) for failing to comply with several GDPR requirements — most notably, for not appointing a Data Protection Officer (DPO).