Italy
Summary
Law: Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Code') and General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
Regulator: Italian data protection authority ('Garante')
Summary: Italy implemented the GDPR by amending the Code and repealing those sections of the Code which directly conflicted with the GDPR. Supervision over the Code is conducted by the Garante, which, among other things, acts upon data subjects' complaints, provides specific data protection measures for data controllers and processors, and adopts guidelines to assist organisations' compliance with the GDPR. The most recent enforcement actions of the Garante resulted in the imposition of fines in the millions of Euros and focused on concerns including unsolicited telemarketing calls, transparency and consent obligations, the implementation of the principle of Privacy by Design within data breach management systems, and data retention standards. The Garante has also issued specific guidance in key compliance areas such as the processing of special categories of personal data in the employment context, the processing of genetic data, and the processing of personal data carried out for scientific research purposes.