{"id":58074,"date":"2018-04-09T08:30:15","date_gmt":"2018-04-09T07:30:15","guid":{"rendered":"https:\/\/blogs.dlapiper.com\/iptitaly\/?p=58074"},"modified":"2019-06-24T11:42:52","modified_gmt":"2019-06-24T09:42:52","slug":"new-gdpr-guidelines-by-the-italian-data-protection-authority","status":"publish","type":"post","link":"https:\/\/blogs.dlapiper.com\/iptitaly\/2018\/04\/new-gdpr-guidelines-by-the-italian-data-protection-authority\/","title":{"rendered":"New GDPR guidelines by the Italian Data Protection Authority"},"content":{"rendered":"

Italian companies can now rely on guidelines on how to comply with the European privacy regulation (GDPR) which unvail some interesting positions.\u00a0\"Giulio<\/span><\/p>\n

After the\u00a0French\u00a0and the\u00a0Dutch\u00a0data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the \u201cItalian DPA<\/strong>\u201c) issued its\u00a06 step methodology on the GDPR\u00a0which aims at also increasing awareness on the most relevant changes introduced:<\/p>\n

1. More detailed consent and broader legitimate interest<\/h2>\n

As already provided by the current regime, any type of processing of personal data needs to have a legal basis justifying it. In particular, among others, with reference to<\/p>\n

Consent<\/h3>\n

An explicit (but no longer written) consent is required with reference to the processing of sensitive data (e.g. health related data that are now incorporated in the broader \u201cspecial<\/em>\u201d category of data) and to the processing based on automated decision making, including profiling. This shall happen in line with the relevant guidelines of the Article 29 Working Party.<\/p>\n

The need of an explicit consent to automated decisions impacting health related data is burdensome since\u00a0the manual processing of requests might not be economically feasible for companies in some cases<\/strong>. Therefore, other solutions need to be identified to avoid the risk that customers do not give their consent to the automated processing of their applications.<\/p>\n

Also, a relevant point raised by the Italian data protection authority is that if the consent obtained under the current regime meets also the requirements of the GDPR, no new consent is required. On the contrary, if this is not the case,\u00a0a new consent shall be obtained before the 25th of May 2018<\/strong>.<\/p>\n

Legitimate interest<\/h3>\n

The legitimate interest shall no longer be identified by means of a decision of the data protection authority as on the contrary it was provided by the Italian Privacy Code. But a balancing test\u00a0shall be performed by the data controller\u00a0<\/strong>in order to rely on this legal ground of processing of personal data which is an alternative to consent.<\/p>\n

The Italian DPA confirms that the criteria identified in its previous decisions relating to for instance the usage of\u00a0CCTV\u00a0systems as well as\u00a0fraud prevention solutions\u00a0still apply. On the contrary, the Italian DPA does not provide clarifications as to be possibility to rely on legitimate interest for direct marketing purposes which is one of the hottest topics at the moment.<\/p>\n

2.Longer privacy information notice, but multi-layer<\/h2>\n

A much\u00a0wider amount of compulsory information\u00a0shall be listed in the privacy information notice. The most relevant change in my view is\u00a0the need to expressly mention the storage period of personal data<\/strong>. This will force companies to adopt a strict internal policy and technical measures to delete or anonymise data on the expiry of the storage period and the identification of the applicable retention period might be quite complex.<\/p>\n

Also, the privacy information notice shall be\u00a0concise, transparent easily accessible and easy to understand. It can rely on standardised icons that shall be consistent across the European Union and will be defined soon by the European Commission. In this respect, the Italian DPA emphasised that the European Privacy Regulation pushes for the implementation of\u00a0multi-layer privacy information notices<\/strong>\u00a0in order to ease their understanding by the public. This would be essential given the very large amount of information to be included in the notice under the GDPR.<\/p>\n

A privacy information notice compliant with the GDPR shall be in place before the 25th of May 2018<\/strong>\u00a0and therefore some operators that have relationship once a year with their customers might need to move quite fast!<\/p>\n

3. Reinforced rights with the novelty of the data portability right<\/h2>\n

The GDPR sets strict deadlines to comply with the requests of exercise of individuals\u2019 rights and therefore ad hoc internal organisational and technical procedures shall be put in place to address such requests. Also, the Italian DPA might issue some guidelines on the potential \u201creasonable fee<\/em>\u201d to be paid by individuals in extraordinary circumstances for the exercise of their rights, but in general terms the exercize of such rights shall be free of charge.<\/p>\n

The\u00a0rights of access and erasure<\/strong>\u00a0(the so called \u201cright to be forgotten<\/em>\u201c) are reinforced and it is emphasized the need to put in place a procedure to ensure that also third parties processing data on behalf of the data controller erase them following the exercize of the above mentioned right.<\/p>\n

In particular,\u00a0the right of restriction<\/strong>\u00a0allows to limit the further processing of personal data, pending a decision on it, and\u00a0obliges to adopt a procedure to \u201cmark<\/em>\u201d such data up to the expiry of this transitional period<\/strong>.<\/p>\n

While with reference to the\u00a0data portability right<\/strong>, the Italian DPA refers to the opinion on the Article 29 Working Party.<\/p>\n

4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains<\/h2>\n

Data processing agreements with data processors shall be amended<\/strong>\u00a0since the GDPR provides for a large number of obligations to be imposed on data processors (i.e. whoever processes personal data on behalf of the data controller), including the obligation to have in place a record of data processing activities, to implement adequate technical and organisational measures and, if it falls under specific categories, to appoint a data protection officer. The European Commission is considering the adoption of standard clauses for data processing agreements, but the main change relates to controls to be implemented to monitor data processors and check their level of compliance with data protection laws.<\/p>\n

A positive change is that\u00a0data processors can appoint sub-processors<\/strong>, but data processors remain liable towards the data controller for the activities of their sub-processors, unless \u201cit proves that it is not in any way responsible for the event giving rise to the damage<\/em>\u201c.<\/p>\n

Interestingly, the Italian DPA\u00a0provides that any individual accessing to personal data shall still be appointed as \u201cpersons in charge of the data processing<\/em>\u201c<\/strong>\u00a0(incaricati del trattamento<\/em>), which was a peculiarity of the Italian Privacy Code. Indeed, in order to prove the implementation of adequate technical and organisational measures, strict instructions shall be given to whoever has access to personal data. I totally share such approach and I also believe that\u00a0internal data processors\u00a0(also named privacy stewards\/champions) and in general individuals in charge of monitoring privacy compliance in addition to the DPO shall be adopted to prove the setting up of adequate organizational measures.<\/p>\n

5. Need to adopt an accountability program<\/h2>\n

The accountability principle is one of the major changes introduced by the General Data Protection Regulation. This requires that companies processing personal data are able to prove to have adopted the measures necessary to comply with the GDPR by means of a so called \u201caccountability program<\/em>\u201c.<\/p>\n

The accountability program finds two of its main elements in the implementation of a\u00a0privacy by design and a privacy by default approach\u00a0and in the performance of a\u00a0privacy impact assessment\u00a0that can be followed by a consultation with the competent data protection authority.<\/p>\n

Such elements require that an assessment on the legality of the data processing activities is no longer performed by the data protection authority, but needs to be carried out by each entity processing personal data. This is the reason why\u00a0the obligation to notify certain types of data processing activities to the Italian DPA and the obligation\/possibility to run a prior check with it in some circumstances will no longer exist<\/strong>.<\/p>\n

Other elements of the accountability program are<\/p>\n

    \n
  1. The establishment of a\u00a0record of processing activities<\/strong>\u00a0which the Italian DPA recommends to any company, regardless of their size and for which it might issue a template;<\/li>\n
  2. The implementation of \u201cappropriate technical and organisational measures<\/strong>\u00a0to ensure a level of security appropriate to the risk<\/em>\u201c, which can no longer be limited to the minimum security measures provided so far by the Italian privacy code. But, the Italian DPA is considering to issue guidelines on the security measures to be put in place;<\/li>\n
  3. The adoption of a procedure for the\u00a0notification to the Italian DPA and the communication to the relevant individuals of\u00a0data breaches<\/strong>, \u201cunless the controller is able to demonstrate [\u2014] that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons<\/em>\u201c. For this purpose, data controllers shall also \u201cshall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken<\/em>\u201c, regardless of whether it has been notified to the Italian DPA and make it available upon request; and<\/li>\n
  4. The\u00a0appointment of a data protection officer<\/strong>\u00a0on which the Article 29 Working Party issued an opinion.<\/li>\n<\/ol>\n

    6. No major change for transfers of data outside the EEA<\/h2>\n

    Principles and tools as those currently provided remain for the transfer of personal data outside of the European Economic Area. It is possible to rely on codes of conducts, but those shall be expressly approved by the competent data protection authority.<\/p>\n

    Also, it is not possible for courts of non-EEA countries to order the transfer of personal data outside the EEA. This shall occur either on the basis of international treaties or if the relevant EU Member State recognises the public interest to the data transfer.<\/p>\n

    If you found this article interesting, please share it on your favourite social media!<\/p>\n

    @GiulioCoraggio<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

    Italian companies can now rely on guidelines on how to comply with the European privacy regulation (GDPR) which unvail some interesting positions.\u00a0<\/p>\n","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"yes","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[446,769,6],"class_list":["post-58074","post","type-post","status-publish","format-standard","hentry","category-dataprotection","tag-garante","tag-gdpr","tag-privacy"],"_links":{"self":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/58074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/comments?post=58074"}],"version-history":[{"count":0,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/58074\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/media?parent=58074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/categories?post=58074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/tags?post=58074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}