Italy - National GDPR Implementation Overview
1.1. National implementing legislation of the GDPR
Legislative Decree no. 101 of 10 August 2018, Provisions for the Adaptation of the National Legislation to the Provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (only available in Italian here) ('the Decree') has amended the former Personal Data Protection Code, Legislative Decree No. 196/2003 (an amended consolidated version of which is only available in Italian here) ('the Code') to implement the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Decree, which was published in the Italian Official Gazette on 4 September 2018 and came into effect on 19 September 2018, repealed those sections of the Code deriving from the implementation of the previous Data Protection Directive (Directive 95/46/EC) and directly conflicting with the GDPR.
The Italian data protection authority ('Garante') has enacted a general guide on the application of the GDPR (only available in Italian here), which endorses all of the guidelines and opinions issued by the Article 29 Working Party.
1.3. Case Law
The Garante has adopted several decisions and opinions on various topics during 2017, 2018, and 2019. Some of the most relevant topics include:
- with regard to unsolicited communications, the Garante enacted a relevant number of injunctions in order to contrast the phenomenon of 'wild telemarketing.' This led to numerous sanctions issued against providers of electronic communications and consumer services;
- in order to enable compliance with national vaccine obligations, in accordance with the tight schedule envisaged in the law, the Garante issued a decision to authorise schools to directly communicate children's non-sensitive personal data to public and private health authorities;
- as part of an investigation carried out by the Rome Public Prosecutor's Office, the Garante imposed fines for a total amount of over €11 million on five money transfer companies that had processed personal data of over one thousand individuals unlawfully and without their knowledge (the so-called 'money transfer case,' only available in Italian here);
- with regard to the Cambridge Analytica case, the Garante conducted an important investigation, asking Facebook for further documentation on the possible violation of personal data of thousands of Italian users (only available in Italian here);
- the Garante has underlined criticalities in the ways in which the Revenue Agency has decided to implement the new generalised billing obligation related to electronic invoicing introduced by the 2018 Italian Budget Law (only available in Italian here) ('the 2018 Budget Law'). The Garante has exercised for the first time its new corrective power attributed to it by the GDPR, by warning the Revenue Agency that the new obligation relating to electronic invoicing could seriously affect the data protection and the safeguards granted to the data subjects (citizens) involved;
- in several occasions the Garante has been requested to provide indications and clarifications on the application of the GDPR, with particular reference to the data protection impact assessments ('DPIAs') to be carried out in the health sector and on the procedures to be followed in the case of requests of exercise of rights by data subjects concerning health data; and
- the Garante has sanctioned the Italian Rousseau Association with a fine of €50,000 for the violation of Articles 32 and 83(4)(a) of the GDPR (only available in Italian here). In its decision, the Garante has declared that the sharing of login credentials among several data subjects for the management of the same online platform violates the obligation for data controllers to adopt adequate technical and organisational measures.
2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
2.1. Main regulator for data protection
The main regulator for data protection is the Garante, which is headquartered in Rome.
2.2. Main powers, duties and responsibilities
The Garante's mains functions are:
- to supervise data processing activities to ensure the respect of data protection rules;
- to take action upon complaints lodged by data subjects;
- to lay down ethical rules for personal data processing carried out both by public and private bodies in the employment context;
- to report crimes that can be prosecuted ex officio and detected in the exercise of its powers and functions;
- to mandate specific measures to data controllers and processors to correctly process personal data;
- to prohibit or block data processing activities that may constitute a risk for data subjects;
- to adopt resolutions and draft opinions;
- to suggest to the Italian Government and the Italian Parliament the necessity to adopt specific legislative/regulatory measures;
- to raise awareness among citizens about data protection and involve them in public consultations in relation to the drafting of general resolutions;
- to control or assist in matters of data protection foreseen by national ratification laws, by international conventions, or by acts of the EU;
- to cooperate with the other Italian independent administrative authorities assisting them in the performance of their duties; and
- to adopt guidelines related to organisational and technical measures implementing the GDPR principles.
Also, it is important to underline that the Garante, duly represented by the State Advocacy, is entitled to take legal action against any data controller or data processor that violates provisions concerning the protection of personal data.
Additionally, according to Article 167(5) of the Code, the Garante is entitled to transmit documentation collected within its assessment's activities to the judicial authorities, if, from the said activities, elements arise that lead to the presumption of the commission of a crime.
Finally, the Garante has been granted with the power of introducing simplified procedures/means for small and medium-sized companies to comply with the data controller's obligations under the GDPR.
3.1. National requirements
Entities which have appointed a data protection officer ('DPO') must notify the Garante of the DPO's contact details (Article 28(4) of the Code). No other fee is due with regard to data protection matters (e.g. for the choice of main establishment). All the information on the modalities of notification of the DPO's contact details to the Garante can be found in the Garante's frequently asked questions on the same (only available in Italian here).
The Garante has adopted an online procedure for DPO notification, only available in Italian here.
4. DATA SUBJECT RIGHTS
Generally speaking, the exercise of rights under Articles 15 to 22 of the GDPR is limited (on the basis of Articles 2-undecies and 2-duodecies of the Code) if it may cause an effective and concrete prejudice to:
- interests protected by anti-money laundering provisions, which provide support for victims of extortion;
- activities of inquiry carried out by parliamentary commissions and activities carried out by a public entity for monetary and financial purposes; or
- activities related to defensive investigations or to the exercise of a right before judicial authorities.
In all the cases listed above, the data subject must promptly receive a motivated communication specifying the reasons of such limitation/delay of his/her rights (if the said communication does not prejudice the purposes of the limitation/delay).
Please refer to section 4. above.
The amendments to the Code introduced Article 2-duodecies, implementing Article 23(1)(f) of the GDPR, which restricts the scope of obligations and rights listed in Articles from 12 to 22 and 34 of the GDPR to safeguard judicial proceedings. In particular, when data processing is carried out for judicial reasons, rights and obligations pursuant to the mentioned articles must be consistent with the limits and modalities provided by procedural laws.
Please refer to Section 4. above.
5.1. National regulation of the processing of children's data and age of consent
Article 2-quinques of the Code provides that children who have reached the age of 14 years can validly express their consent to data processing in relation to the offer of information society services. Where the child is below the age of 14 years, consent must be given by the holder of parental responsibility over the child.
6.1. National regulation concerning the processing of special categories of data and criminal conviction data
As a specification of Article 9(2) of the GDPR, the Decree establishes that biometric, genetic, and health-related data can be processed, provided that specific safeguards (including security measures, such as encryption and pseudonymisation) are implemented. Such security measures, which have not been issued yet, will be established by the Garante on at least a two year basis. Moreover, with reference to health-related data, the Decree imposes a general prohibition to process these kinds of data, except for certain cases. Among others, these are the cases of processing for:
- the purposes of preventive medicine;
- the purposes of assessment of the employee's ability to work, diagnosis, assistance, health, social therapy, or management of health/social systems and services; and
- for reasons of public interest in the public health sector.
The previous formulation of the Code required consent of the data subject for the processing of such health data, which is not necessary anymore on the basis of the amended version of the Code. As specified in section 12 below, it should be noted that the Garante, with regard to the processing of special categories of personal data, has declared the following general authorisations as compatible with the GDPR and with the Decree:
- General athorisation No. 1/2016 on the processing of particular categories of personal data within the employment context (only available in Italian here) ('Authorisation No. 1/2016');
- General authorisation No. 3/2016 on the processing of special categories of personal data carried out by associative organisations, foundations, churches, and religious associations or communities (only available in Italian here) ('Authorisation No. 3/2016'); and
- General authorisation No. 6/2016 on the processing of special categories of personal data carried out by private investigators and General authorisation no. 8/2016 on the processing of genetic data (only available in Italian here) ('Authorisation No. 6/2016').
With regard to data related to criminal convictions, processing of personal data is allowed only on the basis of a law or regulatory provision providing for appropriate safeguards for data subjects. If these provisions have not been enacted, requirements for the lawful processing of judicial data shall be determined through a Decree of the Ministry of Justice. Such provisions must be applied to the employment context.
7.1. Additional/varied requirements on DPO appointment, role and tasks
As mentioned above, DPOs must notify to the Garante providing all the information necessary to identify them and their position. The Garante developed an online procedure to be used in order to make this notification.
8.1. Variation/exemptions on breach notification obligation
Before the amendments introduced by the Decree, in relation to data breaches, the Code specified that telephone companies and internet service providers (within 24 hours from the discovery of the breach), public and private health entities (within 48 hours from the awareness of the event), and any data processor, in cases of IT incidents that may have had a significant impact on installed biometrical systems (within 24 hours from the awareness of the breach), had to notify the data breach to the Garante.
The Decree has brought significant changes to the described duties of notification in the event of a data breach, since it imposes on all data controllers and data processors operating in any sector the obligation to notify the data breach in accordance to the provisions of Articles 33 and 34 of the GDPR, which specify that the notification of data breaches to the national authority must be executed within 72 hours from the awareness of the breach.
The Garante has adopted, on 30 July 2019, a new form to be used for data breach notifications (only available to access in Italian here).
8.2. Sectoral obligations
9.1. National activities subject to prior consultation/authorisation
According to Article 110-bis of the Code, the Garante can authorise the processing of personal data, including in regard to special categories of personal data listed under Article 9 of the GDPR, carried out by third parties for scientific and statistical purposes, when it is impossible for them to inform the data subject or when such notification implies a disproportionate effort or if it may hinder significantly the purposes of the research. In such cases, it is necessary to adopt appropriate measures for the protection of rights, freedoms, and legitimate interests of the data subjects.
Furthermore, Article 1(1022) of the 2018 Budget Law states that data controllers who intend to process personal data on the basis of their legitimate interest and want to make use of the new technologies or automated tools on their employers shall promptly give communication to the Garante, and that the Garante can prohibit the processing when it entails prejudicial effects on data subjects' rights and freedoms.
9.2. National activities not subject to prior consultation/authorisation
10.1. National implementation of Article 89 of the GDPR
According to Article 105 of the Code, personal data processed for statistical or for scientific purposes may not be used in order to take decisions or any measure related to the data subject, nor for any other processing for purposes of a different nature. In addition, the statistical and scientific purposes for which data are processed must be communicated to the data subject in accordance with the provisions of Articles 13 and 14 of the GDPR (if this communication does not imply a disproportionate effort). The Garante has adopted the code of conduct relating to the processing of personal data for statistical and scientific purposes (only available in Italian here) and the code of conduct relating to the processing of personal data for statistical and scientific purposes within the National Statistical System (only available in Italian here), pursuant to Article 20(4) of the Decree. This code of conduct has also been published in the Italian Official Gazzette on 14 January 2019, and it is now attached to the Code as Annex A. The Garante affirms that compliance with the provisions set forth in the codes of conduct is an essential condition for the lawful processing of personal data, and any failure to comply with such provisions may lead to the application of sanctions as set out in Article 83(5) of the GDPR.
With regard to sanctions, the Italian legislator has consistently modified the previous legislative framework on the basis of the so-called opening clause of the GDPR, which grants to all Member States the possibility of providing for criminal sanctions for certain violations of privacy legislation. These sanctions have been added to the administrative sanctions already provided under the GDPR and certain criminal offences under the previous formulation of the Code have been modified. In this respect, attention has been paid to avoid any possible violation of the principle of ne bis in idem, according to which no one shall be punished twice for the same offence.
The Code recalls those administrative sanctions established by the GDPR, specifically:
- Article 83(4) of the GDPR for violations of specific provisions of the Code, such as:
- Article 2-quinquies(2) on children's consent for information society services, namely in cases where the information notice does not meet the relevant requirements;
- Article 123(4) on traffic data, namely in cases where the information notice given by providers of a public communication network or publicly available electronic communications service does not comply with the relevant GDPR provisions; and
- Article 110(1), namely in cases of failing to carry out the DPIA in the context of medical, biomedical, and epidemiological research.
- Article 83(5) of the GDPR, imposing administrative fines up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year if higher, for most serious violations of the Code, such as:
- Article 2-ter on the legal basis for personal data processing pursuant to a public interest;
- Article 2-quinquies on children's consent for information society services, where the child's consent is not properly collected;
- Article 2-septies on safeguards for processing of biometric, genetic, and health-related data; or
- Article 2-octies on the processing of judicial data.
New crimes introduced by the Decree are:
- unlawful communication and dissemination of personal data where large-scale processing takes place with the aim of making profit or causing damage in violation of specific provisions of the Code (Article 167-bis of the Code), for which the sanction is imprisonment from one to six years (but it may be lowered in case administrative sanctions also apply); and
- fraudulent acquisition of personal data where large-scale processing takes place with the aim of making profit or causing damage (Article 167-ter of the Code), which is sanctioned with imprisonment from one to four years.
The Italian legislator has also made a few changes to the existing criminal offences, specifically:
- misrepresentation/false statements given to the Garante and intentional interruption of the Garante's exercise of powers (Article 168 of the Code), for example the performance of proceedings or investigations;
- non-compliance with the Garante's decisions (Article 170 of the Code); and
- violation of provisions on employees' remote monitoring and the prohibition of opinion surveys, making reference to the sanctions established by the Workers' Statute, Law No. 300/1970 (only available in Italian here).
12. OTHER SPECIFIC JURISDICTIONAL ISSUES
A relevant jurisdictional issue concerns the Garante's general authorisations and their compatibility with the GDPR. Pursuant to Article 21(1) of the Decree, the Garante, through a provision on 13 December 2018 has identified and listed the general authorisations that are compatible with the GDPR and with the Decree. The general authorisations which have been declared compatible with the GDPR are:
- Authorisation No. 1/2016;
- Authorisation No. 3/2016;
- Authorisation No. 6/2016;
- provisions on the processing of genetic data (General authorisation no. 8/2016) (only available in Italian here); and
- provisions on the processing of personal data carried out for scientific research purposes (General authorisation No. 9/2016) (only available in Italian here).
Furthermore, the Garante has declared that the following four general authorisations have completely ceased their effects:
- provisions on the processing of data to reveal the state of health and sexual life of data subjects (General authorisation No. 2/2016) (only available in Italian here);
- provisions on the processing of special categories of personal data carried out by freelance workers (General authorisation No. 4/2016) (only available in Italian here);
- provisions on the processing of personal data carried out by different categories of data controllers (General authorisation No. 5/2016) (only available in Italian here); and
- provisions on the processing of judicial data carried out by private individuals, economic public bodies, and public subjects (General authorisation No. 7/2016) (only available in Italian here).