Tag Archive: Italy

EU – The right to be forgotten and the role of the Companies Registry

On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15  (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.


The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.

The Advocate General’s Conclusions

According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.

The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The  Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.

The Right to be Forgotten is not Absolute

The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.

In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.

Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.

For further information on this opinion, see also here from Cristina Ulessi.  It will no doubt be very interesting to review the ECJ’s final position.




Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-right-to-be-forgotten-and-the-role-of-the-companies-registry/

2016 – Main trends on Cybersecurity

While many are not yet aware of the full breadth of the cybercrime phenomenon (cybercrime globally generates more revenues and is more profitable than drug trafficking!), there is a general consensus about the fact that certain breaches cannot be avoided. With a proliferation of connected devices operated remotely and a more pervasive use of data, companies are facing increasing (and more sophisticated) cyber threats. Such trend leads to increasing regulations fostering cybersecurity best practices. Here are our main takeaways from the cybersecurity seminar held in Milan last week. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/2016-main-trends-on-cybersecurity/

Italy – ECJ Safe Harbor Decision and the Italian DPA Position

The European Court of Justice (“ECJ”) held today that the Safe Harbor Privacy Principles for transfer of data to the US are invalid, opening questions on past and future data transfers that rely on such data protection principles. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-ecj-safe-harbor-decision-and-the-italian-dpa-position/

Italy: Digital health hits against stricter rules?

Digital health has massive potentials, but its implementation requires to comply with standards that are now even more stringent after the issue of new guidelines by the Italian privacy authority.  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-digital-health-hits-against-stricter-rules/

ITALY – “Digital Authorities” Round Table, University of Milan, 22 May 2015

Follow us on Friday 22 May 2015 at the University of Milan, with the main experts of our Italian “Digital Authorities” – Giuseppe Galasso (Director Communications – AGCM), Benedetta Liberatore (Director Audiovisual Services – AGCOM) and Luigi Montuori (Director Communications and Electronic Networks – Data Protection Authority), together with Marco Cuniberti (UNIMI) and Giangiacomo Olivi (DLA Piper).

We will be discussing the regulatory challenges for digital media and new technologies, including the latest regulations on cookies and the consultation on IoT launched by the Italian Data Protection Authority. We look forward to seeing you at 2:30 PM, Sala Napoleonica of the University of Milan, via Sant’Antonio 2. The entrance is free, but please register with infomaster.giurisrprudenza@unimi.it. See you soon!


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-digital-authorities-round-table-university-of-milan-22-may-2015/

ITALY – Internet of Things – Term for the Machine to Machine Survey further extended!

The term for the consultation of the Italian TLC Authority (Autorità per le garanzie nelle comunicazioni – the “Authority”) on Machine-to-Machine (see our previous post here) is further extended for additional 45 days. The final term is now set for 23 March 2015.

The Authority intends to: (i) analyze the factors that may influence the development of  Machine to Machine services (like, for instance, interoperability) and the interaction between the various stakeholders in the market; (ii) assess the development projections and the various ways for exploiting the Machine to Machine services; (iii) pinpoint the main regulatory barriers for any further development of such services (e.g. numbering and roaming regulations); and (iv) identify the areas for which it would be appropriate to set up a coordination with the other (national and international) authorities (for example, the Italian Data Protection Authority – see here on the main data protection concerns for the Internet of Things).

Given the complexity of the above review (including the assessment of complex business models) and the limited national and international precedents, the Authority opted for an additional extension. This survey will likely be followed by additional consultations / surveys from other national authorities, and will hopefully trigger a debate at an Italian Parliament level (as already happened in other jurisdictions – see here on the latest news on the U.S. Senate).  

This is a very important topic covering a wide array of businesses and technologies, from connected cars, to smart meters, smart grids and home devices. Please contact our team if you want to further discuss!

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-internet-of-things-term-for-the-machine-to-machine-survey-further-extended/

GLOBAL: Internet of Things – Top ten data protection concerns

As we discussed in our previous posts, there are a number of positive trends that make the Internet of Things a long lasting evolution. Hardware is improving, there is an increasing understanding from the industry of the benefits that can be drawn from harmonization and interoperability, customers ever more expect to control appliances, whilst third and fourth generation communications are making connections between “things” a lot easier. All this is causing an exponential increase in data processing. After all, the Internet of Things is about big data, and how such data are processed remains a cause for concern. Here are the top 10 privacy and data protection concerns. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-internet-of-things-top-ten-data-protection-concerns/

ITALY: Italian Data Protection Authority – analysis of the first half 2014 and action plan

The Italian Data Protection Authority (Garante) has recently made available the results of the first half 2014 activities: 196 inspections, fines issued in the range of 2,5M Euro (already collected). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-italian-data-protection-authority-analysis-of-the-first-half-2014-and-action-plan/

ITALY: Data protection authority approves insurance antifraud registry

Data protection rules will be adequately protected through the registry to be set up against frauds in the insurance sector according to the Italian data protection authority. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-data-protection-authority-approves-insurance-antifraud-registry/

ITALY: New rules on cookies and Internet profiling!

After a long public consultation process, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) finally issued its decision on the “simplified information notice and cookie consent” (“Cookie Decision”).

With the Cookie Decision, the Garante clarifies the distinction between technical and profiling cookies. To sum up:

– Technical cookies are cookies required for providing “electronic communications or information society services”; in other words, all cookies required to ensure the running of the site. To this broad category, the Garante associates also the analytic cookies placed by the publisher or the manager the site (editore o gestore del sito), provided that the only aggregated data are processed, as well as the functionality cookies to improve the service provided to the users (e.g. language preferences).

– Behavioral or profiling cookies are all cookies that allow a profiling of the user, so as to propose to the same user more tailored advertising. While no prior consent is provided for technical cookies, behavioral cookies require a specific and express consent.

The Garante further clarifies the distinction between first and third party cookies, defining as first party cookies all cookies placed by the publisher or the manager of the site, whereas all third party cookies are simply those cookies that are not placed by third parties. In this respect, the Garante acknowledged that the first parties may well not be aware of the existence of third parties placing cookies through the same first parties’ site. Consequently, in gathering the consent also for third parties’ cookies, the first parties are considered as mere “technical intermediary” (intermediari tecnici) – an interesting new concept for Data Protection, recognizing how Internet (and behavioral advertising) is de facto populated by a large number of arbitrators.

As for the new rules set out by the Cookie Decision, all sites with cookies will now have to provide for a two layer information notice, with a first summarized notice including a link to a second and more complete notice.

The first simplified notice is set through a banner to be placed in the homepage and to be devised in a way to create some “discontinuity” with the usage of the site contents. The banner will also contain some basic information, including a mention of any placing of behavioral or third parties cookies, a link to the extended information notice, the mention that it is possible to deny consent, and the indication that the continuation of the usage of the site will imply a cookie acceptance. This last point is very relevant, as such consent will have to be provided through “a positive action”, i.e. by removing banner through a click or continuing to read other underlying active pages. It will not be possible to simply ignore the banner. The publisher or manager of the site will then have to keep track of such consent through a (technical!) cookie.

As stated above, the simplified information notice will link to the more complete information notice, which will include more analytical information, including all information required by the laws. Such notice will include also the links to the third parties’ information notices, or other intermediary parties. It should also be specifically mentioned the possibility to object against the usage of cookies also through the browser settings.

As also discussed in our previous posts, the Garante had to operate within a legal framework based on consent. It clearly stated that it made an attempt to avoid unnecessary obstacles to the current internet users’ experience: it will now be very important to assess how the new rules will be implemented in practice (there are some parts that will need to be further clarified).

All operators will have a grace period of 12 months to adapt to the new rules. And they better do so, as any failure to comply with the regulations on profiling and cookies may entail substantial fines.

If you want to access to our commentary from our blog in Italian, please click here. For further information, do not hesitate to contact us (giangiacomo.olivi@dlapiper.com)!

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-new-rules-on-cookies-and-internet-profiling/

Older posts «