Top 5 takeaways from DLA Piper privacy event on Italian law integrating the GDPR

Lack of clarity on Italian privacy obligations is creating a considerable confusion among operators, but the GDPR is already in place. Giulio Coraggio

As anticipated, we ran on the 13th of September 2018 an interesting event on the new Italian data protection law integrating the GDPR. Despite of the very short one week notice, we had a room “packed” with DPOs and legal counsels eager to know what was going to change with the long awaited new Italian privacy law. Below is the presentation that we showed during the event and my top 5 takeaways that emerged during the discussion.


1. Is the GDPR the future or “Back to the Future”?

The goal of the GDPR was to increase the level of consistency among data protection rules across the European Union in order to enhance investments. However, the result has been that a number of local regulators abused of the flexibility given to local laws of integration of the GDPR. This means that, since the so called principle of establishment is no longer in place, for instance a CRM system used by an Italian company operating across the whole EU shall localize its privacy information notices, consent and other data protection compliance measures under the laws of 28 EU Member States.

2. Is the new privacy framework complete, but  still incomplete?

Despite of the issue of the new Italian decree integrating the GDPR, the regulatory framework still needs to be completed by means of decisions of the Italian data protection authority that shall set new obligations in the processing of health related data, biometric data and genetic data. At the same time, the decree refers to the authorizations and codes of practice to be issued by the Italian DPA.
These measures might be quite disruptive for companies that have been working for over a year on their GDPR compliance program and place them in an uncertain situation.

3. Shall direct marketing give up legitimate interest?

The Italian decree refers to the need to obtain a prior consent as a condition to send electronic marketing communications, saving only the option given by the so called soft opt-in exemption. However, recital 47 of the GDPR allows to rely on legitimate interest for direct marketing communications which now seems relegated as legal basis only for profiling activities. Also, are the direct marketing guidelines issued by the Italian data protection authority still meant to be in place? European rules set out by the GDPR shall prevail on local laws, but the issue relates to the risk of challenges in such an uncertain scenario.

4. Which old obligations are still in place?

The Italian decree provides that the decisions of the Italian data protection authority issued prior to the 25th of May 2018 remain applicable “provided that they are compatible with the GDPR“. No indication is given as to whether the Italian DPA will issue a list of such decisions. Therefore, it should be assessed whether it is necessary to adopt a conservative approach and for instance
  • appoint a system administrator,
  • adopt measures on CCTV systems,
  • meet requirements provided by the decision on cookies, but is such consent in line with the GDPR?
  • follow the guidelines of the Italian DPA on direct marketing?
  • adopt the measures required by prior opinions of the DPA, but shall data controllers at the same time run a DPIA?
  • implement retention periods provided by decisions of the Italian DPA.

Also, the most burdensome obligation appears to be the need to set up an internal organization model with the so called “internal” data processors and the appointment of each individual accessing to personal data as person in charge of the data processing, as showed in the chart below

5. Sanctions are getting scary, but do we have a transitional period?

Criminal sanctions have been added to fines already provided by the GDPR. And it is relevant that such fines are applicable also for breach of direct marketing rules which is the most sensitive topic for most of our clients.

Interestingly, the decree provides for an 8 month period up to 19 May 2019 in which the Italian data protection authority will take into account the first applicability of the GDPR in determining fines.

There were considerable discussions among DPOs on the topic during the event and the general feeling is that the provision is very uncertain and the Italian data protection authority declared that it deems the GDPR sanctions already applicable.