Italy: Decree amending Italian data protection law in relation to processing for public purposes published in Official Gazette
Decree Law 8 October 2021 n. 139 adopting Urgent Provisions for Access to Cultural, Sporting and Recreational Activities, as well as for the Organisation of Public Administrations and for the Protection of Personal Data was published, on 8 October 2021, in the Official Gazette, and entered into force the following day. In particular, the decree, which follows the announcement previously made, amends a number of provisions of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Code'), establishing, among other things, that the processing of personal data by a public administration as well as by a publicly controlled company (with the exclusion of those processing related to activities carried out under free market conditions) is always permitted if necessary for the fulfilment of a task carried out in the public interest or for the exercise of public powers attributed to the same. In addition, the decree establishes that the purpose of the processing, if not provided by law or regulation, may be determined by the public administration or the publicly controlled company concerned, in accordance with the task performed or the power exercised, ensuring adequate publicity for the identity of the data controller and the purposes of the processing, and providing data subjects with any other relevant information to ensure transparency. Furthermore, the decree provides that the same entities may also share personal data, for public purposes, among themselves (with limited exceptions), and to third parties who intend to process data for other purposes.
Moreover, the decree deprives the Italian data protection authority ('Garante') of the authority to prescribe mandatory measures to guarantee the interests of the data subjects, when the processing is carried out for public purposes and creates a high risk pursuant to Article 35 of the GDPR, and in addition, it abolishes the requirement that the retention of telephone and traffic data for the purposes of ascertaining and repressing crime be carried out in compliance with the abovementioned measures established by the Garante.
Additionally, the decree introduces new provisions with regard to the powers of the Garante in matters of revenge porn. Lastly, the decree provides that the deadline for the Garante to express opinions in relation to the National Recovery and Resilience Plan ('PNRR') is reduced to 30 days.
You can read the decree, only available in Italian, here.