New GDPR guidelines by the Italian Data Protection Authority

Italian companies can now rely on guidelines on how to comply with the European privacy regulation (GDPR) which unvail some interesting positions. Giulio Coraggio

After the French and the Dutch data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the “Italian DPA“) issued its 6 step methodology on the GDPR which aims at also increasing awareness on the most relevant changes introduced:

1. More detailed consent and broader legitimate interest

As already provided by the current regime, any type of processing of personal data needs to have a legal basis justifying it. In particular, among others, with reference to

Consent

An explicit (but no longer written) consent is required with reference to the processing of sensitive data (e.g. health related data that are now incorporated in the broader “special” category of data) and to the processing based on automated decision making, including profiling. This shall happen in line with the relevant guidelines of the Article 29 Working Party.

The need of an explicit consent to automated decisions impacting health related data is burdensome since the manual processing of requests might not be economically feasible for companies in some cases. Therefore, other solutions need to be identified to avoid the risk that customers do not give their consent to the automated processing of their applications.

Also, a relevant point raised by the Italian data protection authority is that if the consent obtained under the current regime meets also the requirements of the GDPR, no new consent is required. On the contrary, if this is not the case, a new consent shall be obtained before the 25th of May 2018.

Legitimate interest

The legitimate interest shall no longer be identified by means of a decision of the data protection authority as on the contrary it was provided by the Italian Privacy Code. But a balancing test shall be performed by the data controller in order to rely on this legal ground of processing of personal data which is an alternative to consent.

The Italian DPA confirms that the criteria identified in its previous decisions relating to for instance the usage of CCTV systems as well as fraud prevention solutions still apply. On the contrary, the Italian DPA does not provide clarifications as to be possibility to rely on legitimate interest for direct marketing purposes which is one of the hottest topics at the moment.

2.Longer privacy information notice, but multi-layer

A much wider amount of compulsory information shall be listed in the privacy information notice. The most relevant change in my view is the need to expressly mention the storage period of personal data. This will force companies to adopt a strict internal policy and technical measures to delete or anonymise data on the expiry of the storage period and the identification of the applicable retention period might be quite complex.

Also, the privacy information notice shall be concise, transparent easily accessible and easy to understand. It can rely on standardised icons that shall be consistent across the European Union and will be defined soon by the European Commission. In this respect, the Italian DPA emphasised that the European Privacy Regulation pushes for the implementation of multi-layer privacy information notices in order to ease their understanding by the public. This would be essential given the very large amount of information to be included in the notice under the GDPR.

A privacy information notice compliant with the GDPR shall be in place before the 25th of May 2018 and therefore some operators that have relationship once a year with their customers might need to move quite fast!

3. Reinforced rights with the novelty of the data portability right

The GDPR sets strict deadlines to comply with the requests of exercise of individuals’ rights and therefore ad hoc internal organisational and technical procedures shall be put in place to address such requests. Also, the Italian DPA might issue some guidelines on the potential “reasonable fee” to be paid by individuals in extraordinary circumstances for the exercise of their rights, but in general terms the exercize of such rights shall be free of charge.

The rights of access and erasure (the so called “right to be forgotten“) are reinforced and it is emphasized the need to put in place a procedure to ensure that also third parties processing data on behalf of the data controller erase them following the exercize of the above mentioned right.

In particular, the right of restriction allows to limit the further processing of personal data, pending a decision on it, and obliges to adopt a procedure to “mark” such data up to the expiry of this transitional period.

While with reference to the data portability right, the Italian DPA refers to the opinion on the Article 29 Working Party.

4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains

Data processing agreements with data processors shall be amended since the GDPR provides for a large number of obligations to be imposed on data processors (i.e. whoever processes personal data on behalf of the data controller), including the obligation to have in place a record of data processing activities, to implement adequate technical and organisational measures and, if it falls under specific categories, to appoint a data protection officer. The European Commission is considering the adoption of standard clauses for data processing agreements, but the main change relates to controls to be implemented to monitor data processors and check their level of compliance with data protection laws.

A positive change is that data processors can appoint sub-processors, but data processors remain liable towards the data controller for the activities of their sub-processors, unless “it proves that it is not in any way responsible for the event giving rise to the damage“.

Interestingly, the Italian DPA provides that any individual accessing to personal data shall still be appointed as “persons in charge of the data processing (incaricati del trattamento), which was a peculiarity of the Italian Privacy Code. Indeed, in order to prove the implementation of adequate technical and organisational measures, strict instructions shall be given to whoever has access to personal data. I totally share such approach and I also believe that internal data processors (also named privacy stewards/champions) and in general individuals in charge of monitoring privacy compliance in addition to the DPO shall be adopted to prove the setting up of adequate organizational measures.

5. Need to adopt an accountability program

The accountability principle is one of the major changes introduced by the General Data Protection Regulation. This requires that companies processing personal data are able to prove to have adopted the measures necessary to comply with the GDPR by means of a so called “accountability program“.

The accountability program finds two of its main elements in the implementation of a privacy by design and a privacy by default approach and in the performance of a privacy impact assessment that can be followed by a consultation with the competent data protection authority.

Such elements require that an assessment on the legality of the data processing activities is no longer performed by the data protection authority, but needs to be carried out by each entity processing personal data. This is the reason why the obligation to notify certain types of data processing activities to the Italian DPA and the obligation/possibility to run a prior check with it in some circumstances will no longer exist.

Other elements of the accountability program are

  1. The establishment of a record of processing activities which the Italian DPA recommends to any company, regardless of their size and for which it might issue a template;
  2. The implementation of “appropriate technical and organisational measures to ensure a level of security appropriate to the risk“, which can no longer be limited to the minimum security measures provided so far by the Italian privacy code. But, the Italian DPA is considering to issue guidelines on the security measures to be put in place;
  3. The adoption of a procedure for the notification to the Italian DPA and the communication to the relevant individuals of data breaches, “unless the controller is able to demonstrate [—] that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons“. For this purpose, data controllers shall also “shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken“, regardless of whether it has been notified to the Italian DPA and make it available upon request; and
  4. The appointment of a data protection officer on which the Article 29 Working Party issued an opinion.

6. No major change for transfers of data outside the EEA

Principles and tools as those currently provided remain for the transfer of personal data outside of the European Economic Area. It is possible to rely on codes of conducts, but those shall be expressly approved by the competent data protection authority.

Also, it is not possible for courts of non-EEA countries to order the transfer of personal data outside the EEA. This shall occur either on the basis of international treaties or if the relevant EU Member State recognises the public interest to the data transfer.

If you found this article interesting, please share it on your favourite social media!

@GiulioCoraggio