Lack of clarity on Italian privacy obligations is creating a considerable confusion among operators, but the GDPR is already in place.
As anticipated, we ran on the 13th of September 2018 an interesting event on the new Italian data protection law integrating the GDPR. Despite of the very short one week notice, we had a room “packed” with DPOs and legal counsels eager to know what was going to change with the long awaited new Italian privacy law. Below is the presentation that we showed during the event and my top 5 takeaways that emerged during the discussion.
1. Is the GDPR the future or “Back to the Future”?
2. Is the new privacy framework complete, but still incomplete?
3. Shall direct marketing give up legitimate interest?
4. Which old obligations are still in place?
- appoint a system administrator,
- adopt measures on CCTV systems,
- meet requirements provided by the decision on cookies, but is such consent in line with the GDPR?
- follow the guidelines of the Italian DPA on direct marketing?
- adopt the measures required by prior opinions of the DPA, but shall data controllers at the same time run a DPIA?
- implement retention periods provided by decisions of the Italian DPA.
Also, the most burdensome obligation appears to be the need to set up an internal organization model with the so called “internal” data processors and the appointment of each individual accessing to personal data as person in charge of the data processing, as showed in the chart below
5. Sanctions are getting scary, but do we have a transitional period?
Criminal sanctions have been added to fines already provided by the GDPR. And it is relevant that such fines are applicable also for breach of direct marketing rules which is the most sensitive topic for most of our clients.
Interestingly, the decree provides for an 8 month period up to 19 May 2019 in which the Italian data protection authority will take into account the first applicability of the GDPR in determining fines.
There were considerable discussions among DPOs on the topic during the event and the general feeling is that the provision is very uncertain and the Italian data protection authority declared that it deems the GDPR sanctions already applicable.