Giangiacomo Olivi

Author's details

Name: Giangiacomo Olivi
Date registered: December 21, 2012

Latest posts

  1. EUROPE: Data and tech governance for the connected retail sector 2. Retailers as tech operators — March 22, 2017
  2. ITALY: Italian authorities send a message with EU’s highest data protection fine as GDPR looms — March 20, 2017
  3. EUROPE: Data and tech governance for the connected retail sector #1. Keep compliant to thrive in an era of digital transformation — March 8, 2017
  4. Europe: Artificial Intelligence, what can we learn from the GDPR? — February 7, 2017
  5. ITALY – Personal data “CAN” be transferred under the Privacy Shield — November 30, 2016

Author's posts listings

EUROPE: Data and tech governance for the connected retail sector 2. Retailers as tech operators

In the previous post we discussed how sound personal data governance will help retailers to seize the opportunities provided by digital transformation.

Retailers are aiming to grow globally, in part to offset the limited growth available in mature markets. Within such a wider perspective, governance should also address reputational risks with a holistic approach. Data governance should be linked to policies and procedures affecting specific business lines (including fraud, anti-money laundering sanctions, financial integrity and ethical sourcing), with adequate cross-business training programs.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-data-and-tech-governance-for-the-connected-retail-sector-2-retailers-as-tech-operators/

ITALY: Italian authorities send a message with EU’s highest data protection fine as GDPR looms

The Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) has this month imposed fines of more than €11 million on five companies operating in the money transfers sector for unlawful processing of personal data. This is the largest fine ever imposed by a European Data Protection Authority.

Sigue Global Service Limited, a UK web-based money transfer firm, and four companies operating as its agents in Italy, were found to have transferred large amounts of money to Chinese entrepreneurs in breach of Italian money laundering regulations and the provisions of the Legislative Decree 30 June 2003 no. 196 (Codice per la protezione dei dati personali, Italian Privacy Code). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-italian-authorities-send-a-message-with-eus-highest-data-protection-fine-as-gdpr-looms/

EUROPE: Data and tech governance for the connected retail sector #1. Keep compliant to thrive in an era of digital transformation

Data and tech governance for the connected retail sector 1: Keep compliant to thrive in an era of digital transformation

The retail sector is embracing digital transformation, with the connected retail market expected to reach more than USD 50 billion by 2022, according to Grand View Research).

An increasing amount of personal data is used for customer intelligence, as well as production and supply chain optimization. IoT (Internet of Things) is driving such growth, as smaller and more efficient retail spaces become “fulfillment centers”, with a wide usage of sensors that create unique customer experiences. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-data-and-tech-governance-for-the-connected-retail-sector-1-keep-compliant-to-thrive-in-an-era-of-digital-transformation/

Europe: Artificial Intelligence, what can we learn from the GDPR?

Connected devices that exchange substantial volumes of data come with some obvious data protection concerns. Such concerns increase when dealing with artificial intelligence or other devices/robots that autonomously collect large amounts of information and learn though experience.

Although there are not (yet) specific regulations on data protection and artificial intelligence (AI), certain legal trends can be identified, also taking into account the new European General Data Protection Regulation (GDPR). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-artificial-intelligence-what-can-we-learn-from-the-gdpr/

ITALY – Personal data “CAN” be transferred under the Privacy Shield

Following the Schrems Judgment, there was some uncertainty as to the legal basis to transfer personal data from Italy to the US.

Consistently with other European Data Protection Authorities, also the Italian Data Protection Authority (Garante per la protezione dei dati personali, “the Italian DPA”) authorized the transfer of personal data to the US under the so-called Privacy Shield, i.e. the new agreement signed between the EU and the US which served as the alternative for the old Safe Harbour that was invalidated by the European Court of Justice (for further information see here). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-personal-data-can-be-transferred-under-the-privacy-shield/

EU – The right to be forgotten and the role of the Companies Registry

On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15  (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.

Background

The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.

The Advocate General’s Conclusions

According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.

The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The  Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.

The Right to be Forgotten is not Absolute

The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.

In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.

Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.

For further information on this opinion, see also here from Cristina Ulessi.  It will no doubt be very interesting to review the ECJ’s final position.

@giangiolivi

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-right-to-be-forgotten-and-the-role-of-the-companies-registry/

The EU Data Protection Regulation and the Fashion business. What to do.

The retail and fashion business is rapidly changing. Most fashion companies have become publishers (creating new editorial content) and now also data managers (also processing a large number of personal data).

Within this context the EU General Data Protection Regulation, which recently entered into force, will no doubt play a key role, particularly for the retail and fashion companies operating in multiple jurisdictions or making use of new technologies. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-eu-data-protection-regulation-and-the-fashion-business-what-to-do/

ANALYSIS: WHAT TO EXPECT FROM THE PRIVACY SHIELD AND THE GENERAL DATA PROTECTION REGULATION (GDPR)

DLA Piper Shared Insights at Bloomberg Law’s 2016 Outlook on Privacy and Data Security in Washington DC

On February 3rd, the day after announcement of the US-EU Privacy Shield provisional agreement, DLA Piper’s Carol Umhoefer, Jim Halpert and Giangi Olivi discussed EU data protection developments at Bloomberg Law’s 2016 Outlook on Privacy and Data Security, in Washington DC, following a presentation by Shannon Coe, privacy leader at the U.S. Department of Commerce’s International Trade Administration, that summarized the terms of the provisional agreement. Here is a short analysis of the issues they discussed. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/analysis-what-to-expect-from-the-privacy-shield-and-the-general-data-protection-regulation-gdpr/

2016 – Main trends on Cybersecurity

While many are not yet aware of the full breadth of the cybercrime phenomenon (cybercrime globally generates more revenues and is more profitable than drug trafficking!), there is a general consensus about the fact that certain breaches cannot be avoided. With a proliferation of connected devices operated remotely and a more pervasive use of data, companies are facing increasing (and more sophisticated) cyber threats. Such trend leads to increasing regulations fostering cybersecurity best practices. Here are our main takeaways from the cybersecurity seminar held in Milan last week. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/2016-main-trends-on-cybersecurity/

EUROPE – Transferring Personal Data to the US – Model Clauses Pros & Cons

By Giangi Olivi, Diego Ramos and Carol Umhoefer

As discussed in our previous posts, after the European Court of Justice decision in the Schrems case, transfers of personal data from the EU to the United States on the sole basis of the EU-US Safe Harbor (i.e. the principles and FAQ issued by the U.S. Department of Commerce in July 2000 that were the subject of an adequacy decision by the European Commission) are no longer legal.

Safe Harbor is used by more than 4,000 companies, including significant social media players, facilitating the flows of data between Europe and the United States; its invalidation has potentially serious economic consequences. Here are some thoughts for companies considering alternatives to the Safe Harbor. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-transferring-personal-data-to-the-us-model-clauses-pros-cons/

Older posts «