Italian law integrating the GDPR in place, what changes?

Italian privacy law integrating the GDPR is finally in place, but a number of provisions remain unclear, but need immediate action. Giulio Coraggio

After having spent the well-deserved summer break, Italians are back to work and the legislative decree integrating the GDPR has been finally published on the Official Gazette and will be binding with effect from the 19th of September 2018.

In order to celebrate such event, but to also discuss the impact of such new provisions on companies operating in Italy, we arranged an Innovation MeetUp on the 13th of September 2018 at our Milan office whose details are available HERE.

1. The Italian Privacy Code changes after the GDPR

Rather than removing the existing Italian Privacy Code, apparently the government decided to test our “Tetris” skills, just amending the existing Italian Privacy Code to align it to the GDPR and replacing whole sections by means of a cross-reference to the GDPR.

The result is a very confusing text which inevitably cannot be 100% aligned to the GDPR and might contain mistakes.

2. The regime for special categories of personal data still needs to be completed

The Italian Data Protection Authority is requested to issue a list of additional requirements to be observed in the processing of genetic, biometric and health related data. Such list will be published every two years and shall mainly contain specific technical measures in terms of required encryption and anonymization.

The matter is quite relevant since additional investments in terms at least of security measures might be required and updated every 2 years which creates an additional element of uncertainty.

3. The strong limitations on processing of data on criminal sanctions remain

There is a quite extensive list of examples when data on criminal sanctions can be processed. But it remains the principle that only a primary law or Workers Collective Agreements can authorize their processing.

This is a quite relevant issue for companies that require a criminal report check to all their employees. Such practice shall be ceased, unless authorized either by the law such as in the case of directors of companies in order to check their suitability for the role or by the provision of the applicable Workers Collective Agreements.

4. A more complex internal compliance organization is required

The Italian Privacy Code prescribed the role of the “internal data processors” which are persons within each department of companies in charge of monitoring data protection law compliance.  As anticipated by the guidelines of the Italian data protection authority on the GDPR, their roles is now confirmed, but they are named “designated persons” which we usually rename as privacy stewards, champions, data owners etc.

This is an important matter especially for foreign companies that are not accustomed to such requirement. But in my view, regardless of what provided by Italian law, such requirement could be implied by the obligation to implement adequate organizational measures which cannot mean that any data protection law compliance check is delegated to the DPO.

5. Is direct marketing subject to consent?

It remains unchanged the provision of the Italian Privacy Code that requires consent for the delivery of marketing communications via email and other electronic means. Also, criminal sanctions are introduced for the breach of such obligation.

This is a very hot topic since the GDPR allowed to perform direct marketing on the basis of legitimate interest according to its recitals.

6. New regime but existing decisions and authorizations of the Italian Data Protection Authority saved

The decisions and the authorizations issued by the Italian DPA, the Garante per il trattamento dei dati personali, under the regime prior to the GDPR as well as the existing Ethical Codes will remain in place “to ensure continuity“, up until they are updated by the Italian DPA.

This is an interesting position, but if the provision is still like in the previous draft where it was made reference to their applicability “provided that they are compatible” with the GDPR, this is going to create a major uncertainty on which decisions/authorizations are actually compatible with the GDPR and companies shall start a sort of “guess work” with the result on taking on additional obligations in order to play safe.

7. Is a lighter regime for medium/small companies possible?

The Italian DPA will promote, under the new Italian privacy law, simplified modalities to comply with the GDPR for small and medium enterprises.

This is great, but unfortunately it might come too late when companies are likely to have already done most of the work. Also, this simplification will operate in any case within the perimeter of the GDPR that cannot be derogated, save for the aspects left to the descretionality of EU Member States. Therefore, such simplification cannot be too simple!

8. Do we really have an 8 months transitional period?

The Italian Data Protection Authority had required a waiver from the obligation to issue the fines provided by the GDPR during the period following the adoption of the decree of integration of the GDPR. Since such waiver would have been in breach of EU laws, the provision states that the Italian Data Protection Authority will “take into account” in the issue of fines of the first applicability of the decree during the 8 month period following the coming into force of the decree.

The provision is quite ambiguous. There is definitely the message from the regulator that it will be more tolerant during these first months, but since it is obliged to issue fines, such tolerance cannot go beyond certain limits.

Participate to our event of the 13th of Septembre 2018 whose details are available HERE.

Also, if you found this article interesting, please share it on your favourite social media!