Italy: Data Protection & Cyber Security 2018

Last Updated: 14 June 2018
Article by Gianluca De Cristofaro and Chiara Bocchi
Most Popular Article in Italy, June 2018

1. Basic National Legal Regime

1.1 Laws

As regards personal data protection and cybersecurity, Italy's main law is the Personal Data Protection Code or Privacy Code (Legislative Decree No 196 of 30 June 2003: Codice in materia di protezione dei dati personali o Codice Privacy), which constitutes the transposition of directive 95/46/EC and directive 2002/58/EC, and repeals Law No 675 of 31 December 1996 (the very first Italian data protection law). The Privacy Code is the consolidated statute on both data protection and cybersecurity, and it is complemented by guidelines, recommendations, orders and codes of conduct issued and approved by the Italian Personal Data Protection Authority (referred to as Garante per la protezione dei dati personali or Garante).

In addition, and prior to, the Privacy Code, the Constitution of the Italian Republic (which lists all fundamental principles governing Italy) also provides for personal data protection: namely Article 2, stating that: "The Republic recognises and guarantees the inviolable rights of the person, as an individual and in the social groups where human personality is expressed." Moreover, Article 15 expressly qualifies as inviolable: "The freedom and confidentiality of correspondence and of every other form of communication," thus including electronic communication. General principles applying to data protection can also be found in the European Convention on Human Rights adopted by the European Court of Human Rights (namely Article 8, granting the right to respect for private and family life) and in the Charter of Fundamental Rights of the European Union (Article 7 concerns family life, whereas Article 8 expressly addresses everyone's right to protection of personal data); moreover, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the so-called "Convention 108") of the Council of Europe shall also be mentioned.

A number of other national laws may address specific categories of personal data, adding requirements for lawful processing. For instance: the processing of portrait photos is subject to both the Privacy Code and Copyright Law (ieLaw No 633 of 22 April 1941); video surveillance systems have to comply with both the Privacy Code and the so-called Statuto dei Lavoratori or Workers' Statute (ieLaw No 300 of 20 May 1970).

Save for the above, the basic principles governing personal data processing are found under Sections 3 and 11 of the Privacy Code. According to such principles, personal data shall be:

  • processed lawfully and fairly (lawfulness and fairness);
  • collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with said purposes (purpose limitation);
  • accurate and, when necessary, kept up to date (accuracy);
  • relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed (proportionality);
  • limited to cases in which the purpose sought cannot be achieved by using either anonymous data or suitable arrangements to allow identifying data subjects only in the case of necessity (data minimisation); and
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (limited storage period).

Data subjects shall, in any case, be informed of the main features of the processing, prior to processing; if personal data is not collected directly from data subjects, an information notice shall be given at the time of recording such data or, if their communication is envisaged, no later than when the data is first communicated. Such information shall include, inter alia: the identity and the contact details of the controller; the purposes of the processing; the obligatory or voluntary nature of providing the requested data, and the consequences in the event of refusal; the recipients or categories of recipients of the personal data, and the scope of dissemination; the transfer of personal data to a third country; and a brief description of the rights granted to data subjects according to the applicable data protection laws.

The legal basis for processing is, in most cases, the consent of a data subject: however, the consent might not be necessary where any other lawful basis for processing applies (ieif the processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or else in order to comply with specific requests made by the data subject prior to entering into a contract).

Data controllers shall further process personal data in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Data processors, if any, shall be duly appointed in writing and given instructions by the data controller.

1.2 Regulators

The Garante is the main authority in charge of verifying whether data processing operations are carried out in compliance with the laws and regulations in force. Such tasks shall be discharged, inter alia, by: asking data controllers, data processors, data subjects or third parties to provide information and produce documents; ordering data controllers or data processors to adopt such measures as are necessary or appropriate; prohibiting unlawful or unfair data processing operations, in whole or in part, or blocking such processing operations, and taking other measures as provided for by the legislation applying to the processing of personal data; giving opinions whenever required; and preferring information on facts and/or circumstances amounting to offences to be prosecuted ex officio, which it has come to know either in discharging or on account of its duties.

The Garante shall act either ex officio, or after receipts of reports and complaints lodged by other data subjects or the associations representing them. Investigations shall be carried out both through requests for information and documents and through access to data banks and performance of audits on the spot as regards premises where the processing takes place. The Privacy Unit of the Financial Police is the public authority that usually conducts such inspections on behalf of the Garante.

A plan of the future activities of the Garante is issued on a yearly basis: this document states the business field on which the investigations of the Garante are mainly focused in the relevant period.

1.3 Administration Process

Data subjects may apply to the Garante to point out an infringement of the relevant provisions on the processing of personal data; to call for a check on the mentioned provisions; or to lodge a complaint with a view to establishing the specific rights granted to data subjects by the applicable data protection law.

Any claim concerning data protection shall also be filed, alternatively and not cumulatively, to the civil courts (save for the fact that infringement of data protection provisions might result also in criminal offences). The two remedies differ in that: proceedings in front of the Garante do not require any formality, but the Garante is not entitled to provide for monetary compensation for damages; judicial proceedings have no fixed term, whereas the term provided to the Garante is 60 days from the date on which the complaint was lodged, to be extended by no more than 40 additional days if the enquiries are especially complex or the parties agree thereto (and, if no decision on the complaint is rendered within such a term, the complaint shall be regarded as dismissed).

A complaint filed to the Garante shall refer, with as many details as possible, to the facts and circumstances on which it is grounded; the date of the request made to the data controller; the remedies sought as well as to the identification data concerning the data controller and claimant; and the domicile of choice for the purposes of the relevant proceedings, including the address where communications shall be served. Any documents that may be helpful in evaluating the complaint must also be attached to it.

The Garante shall be responsible for communicating the complaint to the data controller within three days. The data controller may notify both the complainant and the Garante within ten days that he or she will voluntarily comply and, in this case, a declaration of no case to answer shall be returned. The data controller and the data subject have the right to be heard and submit pleadings or documents.

The Garante may order, also ex officio, that one or more expert assessments are carried out.

Measures taken following a complaint (or ex officio) shall include: the partial or total blocking of some of the data (also provisional, during proceedings), or the immediate termination of one or more processing operations; the order that the data controller abstain from unlawful conduct; and further remedies to enforce the data subject's rights and set a term for their implementation.

The decision may be challenged by the data controller or the data subject, as the case may be, by filing a petition to the judicial authority. Challenging shall not suspend enforcement of the decision.

1.4 Multilateral and Subnational Issues

Personal data protection has a high importance in the European Union (EU): aiming to grant the same level of personal data protection in the whole EU, national laws have been, at first, harmonised through Directive 95/46/EC and Directive 2002/58/EC, and then standardised, through the adoption of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the so-called General Data Protection Regulation or GDPR). The GDPR is binding and applicable as of 25 May 2016, but it becomes enforceable from 25 May 2018 after a two-year transition period.

Being a member of the EU, Italy shall abide by European regulations and directives and shall disapply any national laws inconsistent with EU rules and principles: this is why the Privacy Code is the transposition of Directive 95/46/EC and Directive 2002/58/EC, and this is why the Italian Government has been put in charge of the task of amending the Privacy Code in compliance with the new rules.

1.5 Major NGOs and Self-Regulatory Organisations

Among non-governmental organisations (NGOs), Federprivacy (Federazione Italiana Privacy or Italian Privacy Federation) must be mentioned. This association gathers privacy professionals and provides training on privacy issues.

Collective organisations representing specific categories of individuals for general purposes may draft codes of conduct, to be approved by the Garante.

1.6 System Characteristics

Italy is highly regulated, due to the fact that it follows the EU model: European systems are more developed than non-EU countries.

Compared to other Supervisory Authorities, the Garante is one of the most active in verifying and ensuring the compliance to data protection rules and principles.

1.7 Key Developments

In the last few months, no key developments have occurred in Italian national law or in the regulation field.

As anticipated, on 25 May 2018 the GDPR will enter into full force and effect: this means that, by this date, any EU Member State must implement due measures to ensure the effectiveness of the new rules, either by disapplying any non-consistent national law, or adopting any necessary new laws.

Ever since the adoption of the GDPR, Supervisory Authorities on a national level, and Article 29 Working Party (ie a group bringing together representatives of Supervisory Authorities of all EU Member States, as well as of the European Data Protection Supervisor and the European Commission; according to the GDPR, the Article 29 Working Party is going to be substituted by the European Data Protection Board) on a European level, have committed to ensuring the effective implementation of these issuing guidelines to data controllers and data processors to help with understanding and applying the new rules. The guidelines adopted so far by the Article 29 Working Party concern the right to data portability, data protection officers (DPOs), data protection impact assessments, the Lead Supervisory Authority, the application and setting of administrative fines , data breach notification and automated individual decision-making and profiling. Further guidelines have been drafted, but not yet adopted, and concern transparency, consent and adequacy referential.

In addition to guidelines concerning the GDPR, the Article 29 Working Party "Opinion 2/2017 on data processing at work" issued on 8 June 2017 has to be mentioned. Among other relevant issues, this document directs data controllers' attention to the fact that employees' consent is highly unlikely to be a legal basis for data processing at work, unless employees can effectively refuse without adverse consequences: indeed, employees are seldom in a position to give, refuse or revoke consent freely, given the dependency inherent in the employer/employee relationship.

As far as the transfer of personal data to non-EU Member States is concerned, in October 2017 the Irish Judges asked the European Court of Justice for a preliminary ruling on whether to strike down the data transfer mechanism used by Facebook (as well as by other tech groups) to transfer personal data of Facebook's European users to the United States, ie the so-called "standard contractual clauses": the awaited decision is going to have a huge impact on the legitimate grounds for data transfers among companies that are part of the same group.

1.8 Significant Pending Changes, Hot Topics and Issues

On 25 October 2017, with Law No 163, the Italian Government has been put in charge of amending – within six months – the Privacy Code as necessary to be consistent with the GDPR, in particular: repealing what is inconsistent with the new rules; co-ordinating the existing provisions with the GDPR; updating the Privacy Code to execute the provisions of the GDPR that are not directly applicable; and adjusting the penalty system. The Garante shall also issue any due decision to execute the GDPR properly.

At the end of January 2018, the European Commission issued its guidance on direct application of the GDPR (addressed mainly to citizens, business and organisations) and warned Italy: the concern is that Italy will not duly (ie by 25 May 2018) implement the GDPR in a timely manner.

The general principles governing data protection in the GDPR are basically the same as in the Privacy Code, with a higher attention to data controllers' accountability: therefore, no material changes are awaited.

This assumption has been confirmed by the Garante in its very first operative guide for the application of the GDPR: it is for this reason that most of the orders, guidelines and measures issued so far are likely to remain applicable; and it is for the same reason that the category of persons in charge of the processing, ie the natural persons that have been authorised by the data controller or processor to carry out processing operations (incaricati del trattamento), have already been confirmed. It must be noted that persons in charge of the processing are a peculiarity of the Italian system only, since their category has been added by Italian legislators to those of "data controllers" and "data processors" while transposing directive 95/46/EC (in other EU Member States, the category of "data processors" includes that of "persons in charge of the processing").

The Garante is going to issue draft agreements with data processors and joint controllers, and a formal repeal of the duty to notify certain processing operations is also awaited. As of today, clarifications on the role of DPOs have been issued only regarding the public sector, with a draft appointment agreement as well.

The GDPR has been adopted together with "Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA". This directive has to be transposed by 6 May 2018: the consequent amendments to the Privacy Code will affect Articles 53-58, concerning processing by the police and state defence and security.

As far as Italian national law is concerned, the so-called Registro delle Opposizioni (Opt-Out Register) has been amended with Law No 5 on 11 January 2018 – effective from 4 February 2018. This register collects, on a voluntary basis, data subjects' telephone numbers in case data subjects do not want their data processed for direct marketing or advertising purposes, or else for carrying out market surveys or interactive business communication. The main changes concern the possibility to include not only phone numbers, but also mobile numbers and, in both cases, irrespective of their being contained in publicly available paper or electronic directories, and the duty of data controllers to check, at least once a month, whether phone and mobile numbers have been included in the register, since a subsequent inclusion serves as waiver of the consent to processing.

To read this Chapter in full, please click here.

Originally published by Data Protection & Cyber Security 2018, Chambers & Partners.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Stefanelli & Stefanelli Studio Legale
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Stefanelli & Stefanelli Studio Legale
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions