Contributed By LCA Studio Legale
As regards personal data protection and cyber-security, Italy’s main laws are:
The Privacy Code has been amended and complemented by:
Further to such amendments, the GDPR became the first source of data protection provisions in Italian legislation; the Privacy Code only provides additional provisions, basically where the GDPR entitled EU Member States to do so.
All of the above are complemented by guidelines, recommendations, orders, general authorisations and codes of conduct issued and approved by the Italian Personal Data Protection Authority (‘Garante per la protezione dei dati personali’ or ‘Garante’) and by the European Data Protection Board (‘EDPB’), ie, a body of the Union – set up by the GDPR – having legal personality that brings together the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives, as well as a representative of the Commission (without voting rights).
The EDPB substituted the Article 29 Working Party (‘Art29WP’) from the date the GDPR entered into force (25 May 2018), endorsing the guidance already provided by Art29WP and developing additional guidance.
Principles applying to data protection shall also be found in the Constitution of the Italian Republic, which lists all fundamental principles governing Italy, and in other national laws, which may address specific categories of personal data, adding requirements for lawful processing, eg, Law 633/1941 (‘Copyright Law’) and Law 300/1970 (‘Workers’ Statute’).
General principles applying to data protection can also be found in:
The Garante is the main authority in charge of verifying whether data processing operations are carried out in compliance with the laws and regulations in force. Such tasks shall be discharged, inter alia, by:
The Garante shall act either ex officio, or upon receipt of reports and complaints lodged by other data subjects or the associations representing them.
Data subjects may apply to the Garante to report an infringement of the relevant provisions on the processing of personal data, to call for a check on the mentioned provisions, or to lodge a complaint.
Any claim shall be filed, alternatively and not cumulatively, to the civil courts (save for the fact that infringement of data protection provisions might also result in criminal offences). The two remedies differ in that proceedings in front of the Garante do not require any formality, but the Garante is not entitled to provide monetary compensation for damages; and judicial proceedings have no fixed term, whereas the term provided to the Garante is nine months from the date on which the complaint was lodged, to be extended up to 12 months if the enquiries are especially complex (and to be suspended if the co-operation procedure under Article 60 of the GDPR is started).
The decision may be challenged by filing a petition to the judicial authority. Challenging shall not automatically suspend enforcement of the decision.
To grant the same level of personal data protection throughout the EU, national laws have been harmonised through Directive 95/46/EC and Directive 2002/58/EC, and then standardised through the GDPR.
Being a member of the EU, Italy shall abide by European regulations and directives and shall disapply any national laws inconsistent with EU rules and principles; this is why the Privacy Code transposed Directive 95/46/EC and Directive 2002/58/EC, and was amended by the GDPR Adaptation Decree.
The latter also determines the transition period and expressly states that its provisions and further Italian laws shall be applied and interpreted according to EU relevant laws. Likewise, guidelines, recommendations and orders issued and approved by the Garante shall be deemed to remain in force insofar as they are consistent with the GDPR. Existing codes of conduct and general authorisations for processing of ‘sensitive’ data are expressly subject to a review process.
Of the non-governmental organisations (NGOs), Federprivacy (Italian Privacy Federation), Istituto Italiano Privacy (Italian Privacy Institute), Asso DPO (Data Protection Officer Association) and Associazione Nazionale per la Protezione dei Dati (National Association for Data Protection) deserve mention. These associations provide membership to privacy professionals, offer training on privacy issues and strengthen contacts with the Garante.
Many NGOs were established soon after the entry into force of the GDPR – a sign of the increased awareness of the importance of data protection, thanks to the new European regulation.
Collective organisations representing specific categories of controllers or processors for general purposes may draft codes of conduct, or amend or extend existing ones, for the purpose of specifying the application of privacy legislation. Codes of conduct shall be approved by the Garante, prior to their registration and publication. In relation to processing activities in several EU Member States, the prior opinion of the EDPB shall be sought and, if it confirms compliance of the code with the GDPR, the Commission shall give validity to the code within the EU by way of implementing Acts.
To date, the Garante has confirmed the consistency and, therefore, the effectiveness of some codes of conduct already approved under the Privacy Code – for example, those on data processing for journalism, for scientific research or statistical purposes, for defensive investigations and for the establishment, exercise or defence of legal claims, and for archiving purposes in the public interest or historical research purposes.
Following the EU model, Italy is highly regulated, and European systems are indeed more developed than non-EU countries.
Compared to other supervisory authorities, the Garante is one of the most active in verifying and ensuring compliance to data protection rules and principles.
The major development in the past year has been the adaptation of the Italian legal system to the GDPR. The GDPR Adaptation Decree was eagerly awaited and came as a surprise, as early rumours announced the repeal of the Privacy Code, whereas it only amended the Privacy Code and added some transitional provisions.
In parallel, the Garante has issued various guidelines and templates concerning:
These guidelines are in addition to those issued by Art29WP and the EDPB, concerning:
Art29WP also started the review process for the approval of binding corporate rules (BCRs).
Accredia has been designated as the Italian certification body in charge of issuing certifications pursuant to Article 43 of the GDPR.
Brexit is probably the hottest topic on the horizon for the next 12 months. The consequences for data protection are not yet clear but will undoubtedly be of paramount importance as the UK will become a third country.
The e-regulation, ie, a regulation repealing Directive 2002/58/EC (and further amendments) concerning data protection in the electronic communications sector, is also eagerly awaited, and a proposal is currently under discussion.
A brand new proposal has been put forward to merge the Garante with AGCOM (the supervisory authority for communications), aimed at strengthening their respective powers and actions.
Although some EU countries had already implemented DPOs, as far as Italy is concerned, the role of DPO is newly introduced by the GDPR, whereas the role of privacy officer remains unlegislated.
Privacy officers shall, nevertheless, be selected among entities that can appropriately ensure, on account of their experience, capabilities, reliability and compliance, that provisions are in force, as applied to processing and related to security matters. Their tasks might be performed either by controllers or processors (such as external consultants), or by the so-called designated subjects (or ‘soggetti designati’), ie, people who are part of a controller’s or processor’s organisation and have been put in charge of specific functions concerning personal data processing by the controller or the processor. Designated subjects were introduced under the GDPR Adaptation Decree.
DPOs shall have expert knowledge of data protection law and practices, be able to provide advice and monitor compliance with data protection laws, and be bound by a duty of confidentiality. DPOs may be either staff members of the controller or processor, or be third-party providers acting on the basis of a service contract. In both cases, they shall be independent, avoid any conflicts of interest and report directly to the highest management level. A group of undertakings might appoint just one DPO, provided that it is easily accessible by each member entity.
According to the Administrative Court (TAR) of Friuli Venezia-Giulia (order no 287/2018), DPOs shall have a strong judicial background, thus recommending that preference is granted to jurists rather than IT experts (at least in the public sector).
Under the GDPR, the appointment of a DPO is compulsory in just three cases, which are:
• where the processing is carried out by a public authority or body;
• where the core activities of the controller or the processor consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale; and/or
• where the core activities of the controller or the processor consist of processing ‘sensitive’ data or ‘judicial’ data on a large scale.
Italian laws provide for the appointment of a DPO for competent judicial and police authorities.
Art29WP and the Garante recommend the appointment of DPOs in general, both as good practice and as proof of accountability.
Processing shall be lawful only if and to the extent that it is compliant with the basic principles of processing (Article 5 of the GDPR determines such principles as lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability), and that one legal basis for the processing applies.
Legal bases are listed under Article 6 of the GDPR. They include:
To rely on legitimate interest, the so-called balancing test shall be carried out in advance to ensure that rights and freedom of the data subject do not prevail against the interest of the controller. In their guidelines on transparency, Art29WP recommended to identify the specific interest pursued, providing the data subject with information from the balancing test or, at least, confirming that they can obtain information on the balancing test upon request.
Where consent is relied upon, it shall be freely given, specific, informed, unambiguous and demonstrable. Art29WP’s guidelines on consent provide further advice.
The GDPR does not force the adoption of minimum security measures (including technical and organisational measures). Preferring an accountability-based approach, it requires controllers and processors to identify and implement appropriate technical and organisational measures in order to ensure a level of data protection appropriate to the risks for personal data, both at the time of determination of the means for processing (privacy by design) and at the time of the processing itself (privacy by default), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as all the risks for the rights and freedoms of individuals.
Some examples are provided under Article 32 of the GDPR.
As to privacy impact analyses, the GDPR provides for assessments of the impact of the envisaged processing operations on the protection of personal data (data processing impact assessments or ‘DPIAs’) to be conducted by controllers prior to processing, where that type of processing is likely to result in a high risk to the rights and freedoms of natural persons. DPIAs are compulsory in the case of:
Art29WP has issued guidelines to help controllers and processors understand when DPIAs are needed and how to conduct them. When in doubt about whether to carry out a DPIA, the advice is to proceed.
Supervisory authorities are expressly empowered to extend or reduce the list of cases in which DPIAs have to be carried out. The Garante adopted its list, and confirmed that controllers can use the open-source software developed by the CNIL (the French Data Protection Authority) as guidance.
Where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to processing.
Data subjects shall be informed of the main features of the processing of their data, prior to processing. The information to be provided is stated under Articles 13-14 of the GDPR, covering the main features of the processing.
Data subjects shall, at any time, exercise their rights as granted under the applicable data protection law. Any request shall be issued to the relevant controller and will not be subject to any formalities; a standard form is published on the website of the Garante for data subjects’ convenience.
Controllers shall not unreasonably refuse to act on the request of data subjects for exercising their rights, and shall reply without undue delay, within one month of receipt of the request; this term may be extended up to three months, taking into account the complexity and number of the request(s).
Where the request of the data subject is rejected, the controller shall inform the data subject without delay – and at the latest within one month of receipt of the request – of the reasons for not taking action, the possibility of lodging a complaint with a supervisory authority, and of seeking a judicial remedy.
Information and actions provided to data subjects shall be given free of charge, unless data subjects’ requests are manifestly unfounded or excessive (ie, the controller does not own any personal data of the requesting data subject). In such cases, the controller may either charge a reasonable fee, taking into account the costs actually incurred for the enquiries made in the specific case, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.
The Privacy Code provides for some limits to the rights granted to data subjects, which cannot be invoked in the case of risk of a severe bias to rights protected by anti-money laundering provisions, to defensive investigations or for establishment, exercise or defence of legal claims, or to the identity of whistle-blowers.
The use of personal data and identification data shall be minimised in such a way as to rule out their processing if legitimate purposes can be achieved by using either anonymous data or using suitable arrangements to allow the identification of data subjects only when necessary.
Anonymisation, de-identification and pseudonymisation may be considered adequate technical security measures, or an appropriate safeguard, on a case-by-case basis. For instance, pseudonymisation combined with encryption can reduce the likelihood of individuals being identified in the event of a breach and, therefore, the need to notify the breach to data subjects according to the GDPR.
When dealing with profiling, automated decision-making, online monitoring or tracking, Big Data analysis and artificial intelligence, data protection provisions shall be taken into account as all these activities imply personal data processing.
The GDPR introduced restrictions on automated decision-making, broadening the protection previously ensured by the Privacy Code to data subjects against decisions based solely on automated processing, including profiling. These include requesting controllers to implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least by granting to individuals the right to obtain human intervention on the part of the controller, to express their point of view and to contest a decision based on an automated process. Data subjects shall be provided with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject, at the time of provision of the information notice.
Save for the above, automated decisions are legitimate – according to the GDPR – only if:
Automated decisions shall not be based on ‘sensitive’ data, unless suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place, and the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, or processing is necessary for reasons of substantial public interest, on the basis of EU or national law, which shall be proportionate to the aim pursued and respect the essence of the right to data protection.
Automated decisions are also subject to a DPIA.
In the case of a breach of personal data protection laws, data subjects may suffer damages and be entitled to compensation under Article 82 of the GDPR (mentioned also by Article 152 of the Privacy Code).
Damages shall be either material or non-material. As to non-material damages, no classification is required – according to Italian case law, any potential category of non-material damages (reputational, emotional, embarrassment, etc) is just a description, since non-material damages are and shall remain unitary and not subject to duplication due to the use of different names.
‘Sensitive’ data is a definition previously used by the Privacy Code to address personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organisations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.
The GDPR renamed ‘sensitive’ data as ‘special categories of personal data,’ expressly adding genetic data and biometric data processed for the purpose of uniquely identifying a natural person. Although the GDPR Adaptation Decree replaced the definition of ‘sensitive’ data with ‘special categories of personal data,’ such data is still commonly referred to as ‘sensitive’ data.
Processing of ‘sensitive’ data is prohibited, except in the circumstances provided under Article 9 of the GDPR. Such circumstances are in addition to, and not in lieu of, the legal basis for processing.
EU Member States are expressly empowered by the GDPR to introduce further conditions, including limitations, with regard to the processing of genetic, biometric and health data. Accordingly, the Privacy Code puts the Garante in charge of issuing, every two years, safeguarding measures for the processing of genetic data, biometric data and health data.
It has to be remembered that, under the Privacy Code, the prior authorisation of the Garante was needed to ensure lawful processing of ‘sensitive’ data. To ease controllers’ tasks and duties, the Garante usually issued general authorisations (for example, for the processing of sensitive data in the employment context). Where the processing complied with the relevant general authorisation, controllers had no need for an ad hoc authorisation. The GDPR Adaptation Decree has put the Garante in charge of the duty to check existing general authorisations for the processing of ‘sensitive’ data and to amend or update these according to the GDPR.
Financial data, if it allows the identification of data subjects, is considered personal data.
Certain communications of financial data are mandatory under Italian law, for instance for the purpose of anti-money laundering (which requires the processing of information related not only to individual banking operations, but also to a wider amount of personal data insofar as they are necessary to detect abnormal/unusual operations), for countering terrorism by financial means and for taxation offences, or to the credit bureau managed by the Banca d’Italia (Bank of Italy). Further communications may also be due to judicial authorities in pursuance of the law and/or to creditors in connection with enforcement proceedings or following requests for access to banking documents.
Guidelines were adopted in 2007 by the Garante for the processing of customers' data in the banking sector. The ‘Code of conduct and professional practice applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments’ adopted by the Garante in 2004, according to the GDPR Adaptation Decree, will remain in force until completion of the review process to be carried out by the Garante to ensure consistency with the GDPR.
Health data is ‘sensitive’ data and is therefore subject to the special safeguards provided for this category of data.
The Privacy Code allows the communication of health data to professional third parties, in aggregate (ie, anonymous) form and subject to Garante’s prior authorisation, for research and statistical purposes. Concerns have been raised, but not by the Garante, which believes data subjects’ protection is properly ensured.
Guidelines have been adopted by the Garante to address particular cases. Pursuant to the GDPR Adaptation Decree, they are still applicable insofar as they are consistent with the GDPR.
Communications data are not considered to be ‘sensitive’ data; nevertheless, a high level of protection is granted under criminal law provisions, aimed at ensuring that collection of communications data is limited to what is necessary to prosecute offences.
‘Sensitive’ data revealing union membership has been addressed in a recent order issued by the Garante, clarifying that an employer cannot communicate information concerning its employees’ union membership.
‘Judicial’ data, referred to as “data relating to criminal convictions and offences,” is not ‘sensitive’ data; nevertheless, its processing is subject to tight constraints. Processing shall be carried out only under the control of an official authority or when authorised by the applicable law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of the official authority.
Text messaging can be used to send marketing communications.
The relevant legal basis for processing used to be data subjects’ prior consent. Section 47 of the GDPR, stating that direct marketing purposes may be carried out under the legitimate interest of the controller, led many to question the exact scope of application of the legitimate interest and whether it can serve as a legal basis for telephone marketing. The Garante has not made its position clear and guidelines are eagerly awaited, since the legitimate interest as a legal basis for processing in lieu of consent would ease the data collection process of most controllers.
Soft-spam exemptions do not apply to the processing of phone numbers – therefore, a phone number collected in the context of the sale of a product or service shall not be processed for direct marketing of a controller’s own products or services without the data subject’s consent. The awaited e-regulation will probably clarify the issue.
It should be noted that consent – if any – to receive marketing communications via automated calling or further systems without human intervention (fax, SMS, email, MMS, recorded calls) is deemed to include consent to receive marketing communications via traditional means (paper mail), but not vice versa.
Regarding phone numbers processed for marketing purposes, the Opt-Out Register (Presidential Decree 178/2010) should be mentioned. This collects, on a voluntary basis, the telephone numbers as contained in publicly available paper or electronic directories of data subjects who do not want their data processed for direct marketing or advertising purposes, or else for carrying out market surveys or interactive business communication.
According to Law 5/2018, the Opt-Out Register shall include also mobile numbers and controllers processing phone numbers for marketing purposes are required to check, at least once a month, whether phone and mobile numbers have been included in the register, since a subsequent inclusion serves as waiver of the consent to processing.
Further to the amendment under Presidential Decree 149/2018, the Opt-Out Register shall also include physical addresses: therefore, by enrolling in the Opt-Out Register, data subjects may also object to the receipt of marketing communications sent in paper form to their residential addresses published in publicly available paper or electronic directories.
Special provisions apply to providers of call centre services (either directly or through third parties), for both inbound and outbound calls. The customer shall be informed of the country in which the call centre operator is located; if it is a third country, a prior notice shall be filed to the Garante (as well as to the Ministry of Labour, the National Labour Inspectorate and the Ministry of Economic Development) and the customer shall be granted the opportunity to choose to communicate with operators located in Italy or within the EU by an immediate forward of the call.
All call centre providers must also be enrolled in the ROC (Register of Communication Operators) managed by AGCOM. In addition, pursuant to Law 5/2018, providers of call centre services shall update their phone numbers using the prefixes indicated by AGCOM, the aim being to ensure that data subjects are able to easily identify calls dialled for statistical or marketing purposes.
According to Legislative Decree 70/2003 (transposing Directive 2000/31/EC), a website must also clearly state the identification and contact data of its owner.
Tracking cookies, or profiling cookies, shall be installed provided that website users:
Data subjects’ consent is required not only for tracking cookies, but also for analytics provided by third parties, which are assimilated to profiling cookies if no measure to reduce cookies’ identifying ability is implemented and if the third party matches the information collected via cookies with other information already owned.
Data subjects must be granted control over processing of their personal data. A ‘do not track’ option gives data subjects the ability to make choices about which processing operations to allow.
Behavioural advertising requires profiling. Art29WP’s guidelines on automated individual decision-making and profiling should be taken into account, in which it clarifies that no legal basis for processing shall be excluded a priori and confirms that behavioural advertising does not necessarily have to be based just on consent. The Garante has not yet made its position clear; guidelines are eagerly awaited.
Where consent is relied upon, it has to be borne in mind that this processing operation corresponds to a specific purpose (since it is based on a profiling activity), and therefore it shall not be deemed included in the definition of ‘marketing,’ thus requiring a separate consent.
So-called ‘social spam’ results in unlawful processing; this has been clarified by the Garante in a number of cases.
The general principle that controllers shall bear in mind is that an email address published on a social network cannot be processed for whatever purposes based on the sole fact that it is publicly accessible personal data.
As far as video and television are concerned, the Garante has focused on data protection issues concerning interactive television services, recommending that controllers:
No ad hoc regulation is in place concerning social media, search engines and large online platforms. It might be said that this field is self-regulated, being mainly based on codes of conduct adopted by the providers themselves. An exception is Legislative Decree 70/2003, which focuses mainly on the responsibility of contents providers for users’ content; Legislative Decree 206/2005 (Consumers’ Code) should also be mentioned. General rules of law, such as the Privacy Code and criminal provisions, also apply. AGCOM and AGCM (Antitrust Authority) are both active for surveillance.
The Garante has addressed the topic on several occasions, recommending that providers implement adequate security measures but focusing mostly on increasing data subjects’ awareness of the risks of communicating personal data to social networks. Such risks are related to the unavoidable dissemination of data published on the internet and to the consequent difficulty of effective deletion. No social network account is actually completely private.
The right to be forgotten consists of the right to obtain the de-listing of links to web pages published by third parties containing information relating to them from the list of results displayed following a search made on the basis of a person’s name. In short, it is the right not to be publicly reminded long after the relevant event.
The GDPR is clear on the right to be forgotten – it states that data subjects can request to have their personal data erased and no longer processed (except if further retention is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims) and, where the personal data was made public, it forces the controller to take any reasonable steps to inform other controllers that are processing the same personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
The right to be forgotten has always been acknowledged and granted by supervisory authorities and national courts, as well as by the European Court of Justice, even before the GDPR. Reference shall be made, inter alia, to the ‘Google Spain case’ (C-131/12) and to Art29WP’s guidelines on its interpretation.
The same principles are also commonly applied by the Garante when balancing an individual’s right to be forgotten with the public interest to be duly informed. In a recent decision, the Garante requested Google to delete, from the list of search results by name, an article referencing a criminal conviction, since the data subject had subsequently been reinstated and the news was outdated. In contrast, the Garante has confirmed the lawfulness of search results that, although referring to the same legal case, provide further information of actual public interest in light of the role of the data subject, who is still holding high-level public office.
One open issue is the territorial extension of the deletion of the personal data. Indeed, the GDPR does not clarify whether the deletion shall be limited to the EU or extended to the whole world.
The Garante, in a decision issued on 21 December 2017, ordered Google to de-list all search results regarding a data subject, without territorial limits; a similar decision was also taken by CNIL, which fined Google for having limited the de-listing to the EU.
The order issued by CNIL was challenged by Google, and the French court asked the European Court of Justice for a preliminary ruling on whether the deletion shall cover the whole world or be limited to the EU. To date, only the opinion of the Advocate General has been issued, and (in contrast to the decision of the CNIL) it is in favour of limiting the de-listing to the EU.
Hate speech and abusive material are addressed by both data protection laws and criminal laws.
On cyber-bullying, Law 71/2017 grants to persons below 18 years of age the right to obtain erasure of defamatory online contents from a website and/or social network concerned within 24 hours from the request. The aim is to prevent, rather than repress, acts of cyber-bullying through proper education.
As for disinformation, both the Garante and AGCOM are constantly fighting against fake news by increasing users’ awareness and social media and social networks’ commitment.
The right to data portability is governed under the GDPR, being new to Italy. It is defined as a data subject’s right to receive personal data previously provided to a controller in a structured, commonly used and machine-readable format, and to store that data for further personal use with or without transmitting the data to another controller.
The right to data portability shall be exercised when the processing is based on a data subject's consent, or on a contract to which the data subject is a party, and is carried out through automated means. Moreover, it will cover only the personal data of the requesting data subject (which does not concern other data subjects) that has been knowingly and actively provided to the controller by the data subject itself, also by virtue of the use of a service or a device (ie, a person’s search history, traffic data and location data, or other data such as the heartbeat tracked by a wearable device). Consequently, inferred data and derived data created by a controller on the basis of the data provided by a data subject are excluded.
This right is without prejudice to other rights granted to data subjects, who shall continue to use the controller’s service even after a data portability operation (which does not automatically imply erasure of data).
These and further issues are addressed in Art29WP’s guidelines.
There has been a case involving Facebook and WhatsApp, concerning the consent collected in 2016 by WhatsApp to the communication of personal data of Italian data subjects to Facebook for behavioural advertising purposes.
The consent was found to be unlawfully collected, since:
The Garante also stressed that the legitimate interest could not be invoked in that case, since the balancing test had not been performed and nothing had been provided to verify whether the processing was actually necessary to pursue the declared interest.
With effect from 4 October 2018, both Facebook and WhatsApp were prevented from further processing data that had been unlawfully collected.
Under Italian law, persons below 18 years shall act under their parents’ authorisation (or that of whoever holds parental responsibility). Therefore, any consent to the processing of children's data shall be obtained from whomever has the relevant parental responsibility.
As far as the offer of information society services is concerned, the Privacy Code sets the threshold at 14 years of age (under Article 8 of the GDPR).
Schools and educational institutions are bound by a duty of publicity and transparency. The Garante has issued guidelines to help in complying with both transparency and data protection.
The Privacy Code facilitates vocational orientation and training as well as employment in Italy and abroad, allowing high schools and other educational bodies to communicate or disseminate data on the evaluation and marks obtained by students, as well as to private entities and by electronic means, upon the data subjects' request, provided that such data is relevant for the mentioned purposes and that data subjects have been duly informed thereon.
The possibility to base marketing on the legitimate interest instead of consent seems to have been introduced by Recital (47) of the GDPR (according to which the legitimate interest of the controller or of a third party might be a suitable basis for the processing of personal data for marketing purposes, thus excluding the need to collect data subjects’ consent) but has not yet been addressed either in guidelines from the EDPB, nor in guidelines issued by the Garante.
When needed, consent is deemed to be effective:
A separate consent is required for each purpose being sought and for each processing operation at issue – therefore, a specific consent shall be collected for marketing, profiling and disclosure of the data to third parties, which shall be clearly identified either by name or business or commodity category. ‘Marketing’ includes advertising materials, direct selling, surveys and commercial communications, since they are mostly instrumental to the achievement of a single purpose (ie, the marketing purpose), but it does not include either profiling or behavioural advertising.
The information notice and consent request must clearly identify the means of delivery of marketing communications (either conventional marketing channels, systems without human intervention, or both). Data subjects shall be informed of their right to revoke consent at any time for one or more of the purposes for which their data is processed, as well as to object to the use of one or more contact details, without affecting the lawfulness of processing based on consent before its withdrawal.
The above issues are addressed in Garante’s ‘Guidelines on Marketing and against Spam,’ which shall be deemed to still be in force insofar as they are consistent with the GDPR.
As to the processing of employees’ personal data, the Garante has issued several guidelines that clarify employers’ (controllers’) duties and employees’ (data subjects’) rights under the applicable data protection law, provided that sectorial provisions such as the Workers’ Statute remain unaffected.
There are no legal standards for regulators to allege violations of data protection laws; assessment is made on a case-by-case basis.
Legislative Decree 51/2018 repealed those provisions of the Privacy Code ruling personal data processing by police authorities.
The new set of rules introduced derogations and specifications to the ‘general’ provisions of the GDPR. Such rules are self-standing, and not limited to amendments or additions.
Law enforcement access to data for serious crimes is allowed without a prior judicial order, in cases where it is necessary for justice or police purposes.
Privacy is protected by limits to law enforcement access to data, as well as by those provisions applicable to processing by public authorities and judicial authorities as provided under Legislative Decree 51/2018.
The processing of ‘judicial’ data, referred to as “data relating to criminal convictions and offences,” is subject to tight constraints (see Article 10 of the GDPR).
Validity and enforceability of documents, records and measures based on personal data in breach of the relevant laws or regulations might be excluded under the applicable civil or penal laws (see Article 160-bis of the Privacy Code).
Although Legislative Decree 51/2018 excludes from its scope the processing of personal data for national security purposes, the Privacy Code extends the applicability of some of the provisions of the above-mentioned Decree to such processing activities, namely definitions, general principles, automated decision-making (including profiling), privacy by design and privacy by default, processors, security measures, supervisory authority, compensation rights, administrative fines and criminal sanctions.
Law 124/2007 governs the Italian national security information system and state secrets.
Law enforcement access to data is allowed without a prior judicial order when processing operations are carried out by public bodies for purposes of defence or of granting state security, as expressly required by laws that specifically provide for such processing operations.
Privacy is protected by limits to law enforcement access to data, as well as by those provisions applicable to processing by public authorities and judicial authorities as provided under Legislative Decree 51/2018.
The processing of ‘judicial’ data, referred to as “data relating to criminal convictions and offences,” is subject to tight constraints (Article 10 of the GDPR).
Validity and enforceability of documents, records and measures based on personal data in breach of the relevant laws or regulations might be excluded under the applicable civil or penal laws (Article 160-bis of the Privacy Code).
Foreign government access requests might be a legitimate basis on which to collect and transfer personal data if based on important reasons of public interest, which shall be recognised by EU or national law.
Legislative Decree 51/2018 also provides for specific derogations to the transfer of personal data. A foreign government access request is not expressly listed; nevertheless, based on the circumstances of each case, it might be traced back to one or more of the lawful bases expressly provided.
Government access to personal data raises concerns in that data subjects perceive it as an unwelcome intrusion into their private life, since, in most cases, it is hidden and not disclosed until a sanction is applied.
Provided that data subjects have been duly informed thereon, the transfer of personal data is freely available among EU Member States because it is taken for granted that data subjects receive an adequate level of protection in all EU countries.
The transfer of personal data to third countries is prohibited if the laws of the destination country or transit of the data do not ensure an adequate level of protection of individuals, or if suitable safeguards are not in place to protect data subjects.
A transfer of personal data to a third country may take place:
Where none of the above is applicable, a transfer may occur only if it is not repetitive, it concerns only a limited number of data subjects, is necessary for the purposes of the controller’s compelling legitimate interests and not overridden by the interests or rights and freedoms of the data subject, and under suitable safeguards. The Garante shall be informed beforehand.
Privacy Shield is an agreement between the EU and the US, providing for the specific commitments of public and private entities to ensure the effective protection of EU data subjects’ personal data. After the second annual review of the Privacy Shield, the EDPB raised concerns over:
An adequacy decision concerning Japan has recently been adopted, creating a wider space for safe transfer of personal data, and binding Japanese companies to supplementary rules when processing personal data transferred from the EU.
No government notifications or approvals are required to transfer data internationally.
Special requirements might apply to categories of personal data of a more sensitive nature (such as ‘judicial’ data, or information covered by business and industrial secrecy).
There is no general duty to maintain data in-country.
No software code, algorithms or similar technical detail are required to be communicated to the government. Nevertheless, the Garante (as well as any other relevant public authority) is entitled to ask controllers and processors for such information.
The transfer of personal data by private entities to foreign countries for foreign government data requests, foreign litigation proceedings and internal investigations is subject to the same safeguards discussed above. It should be noted that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring the transfer of personal data may only be enforceable under an international agreement.
Data protection law prohibits data transfers unless appropriate safeguards are in place. This is the main ‘blocking’ statute to international data transfers.
Further prohibitions might be based on sectorial laws (such as labour laws or trade secret provisions).
The processing of Big Data analytics shall abide by the relevant provisions on data protection. Concerns have been raised by the Garante in that Big Data is too innovative for the easy application of data protection rules.
On 30 May 2017, the Garante, the AGCM and the AGCOM undertook a public survey on Big Data, aimed at identifying risks and defining rules to protect personal data, consumers and the digital economy. The final outcome has yet to be disclosed.
The GDPR broadens protection against decisions based solely on automated processing (including profiling), granting to individuals the right to obtain human intervention on the part of the controller, to express their point of view and to contest a decision based on an automated process.
Save for the above, automated decisions are only legitimate if:
• data subjects have been duly informed thereon and have granted their consent;
• the decision is necessary for entering into, or the performance of, a contract between the data subjects and the controller; and
• the decision is authorised by applicable law.
The Garante has addressed profiling mainly from the perspective of marketing and advertising, highlighting the need for specific consent and issuing guidelines on online profiling to suggest a double-layered information notice. These guidelines and measures are still applicable as far as they are consistent with the GDPR, which might entail a different legal basis for processing to be used.
Art29WP’s guidelines on automated individual decision-making and profiling are also relevant.
Artificial intelligence has garnered a great deal of attention recently.
In March 2018, Agid (Agency for Digital Italy) issued a white paper on artificial intelligence and its potential benefits in the public sector, and also set up a task force.
In January 2019, two groups of experts were appointed to work with the Ministry of Economic Development to develop an Italian strategy on artificial intelligence and blockchain to be discussed at a European level.
In February 2019, the legal enforceability of both smart contracts and distributed ledger technology time-stamping was recognised, thus equating a smart contract to a written contract.
Finally, the Committee of the Council of Europe’s Convention 108 also issued guidelines.
The main issues concern system accountability and transparency of the choices made by algorithms through tracking. Article 22 of the GDPR, dealing with autonomous decision-making, has been criticised as limiting artificial intelligence in that it grants the right to obtain human intervention.
Risks related to the IoT have been assessed by Art29WP’s opinions.
The Garante has drawn controllers’ attention to the need to ensure effective data protection by design and by default and duly to inform data subjects.
Autonomous decision-making has to be deemed subject to the same rules provided for automated decision-making, as long as it entails personal data processing.
Facial recognition entails the processing of biometric data and is subject to the same rules (see below). Art29WP’s opinions thereon should also be mentioned, highlighting – inter alia – that facial recognition might also involve ‘sensitive’ data processing.
Biometric data is classed as ‘sensitive’ data when used for the purpose of uniquely identifying a natural person.
The Garante has issued guidelines on biometric recognition and graphometric signatures. Any processing of biometric data that conforms to these guidelines is not subject to the prior authorisation of the Garante. The guidelines also introduce the duty to inform the Garante of any biometric data breaches within 24 hours of becoming aware of such an event, using the draft format provided.
These guidelines shall be deemed to be still in force as long as they are consistent with the GDPR. On the one hand, it is certain that no prior authorisation shall be obtained (the prior consultation of the Garante might nevertheless be necessary, based on the outcome of the DPIA – when required); on the other, it is uncertain if the deadline to notify a breach will remain at 24 hours or whether the broader deadline of 72 hours provided under the GDPR will prevail.
Geolocation data is considered personal data.
In a recent decision on GPS installed on vehicles provided to employees, the Garante stressed the need to include the ‘right to privacy’ in the functionalities of the car itself, paying attention in particular to the data-minimisation principle as well as to those of privacy by design and by default.
Article 4 of the Workers’ Statute shall also apply; therefore, unless equipment used to collect the location of the employee is necessary for executing the obligations arising from the employment contract, processing shall only be legitimate subject to agreement with trade unions.
The use of drones raises a number of privacy issues, mainly related to a lack of transparency of processing operations due to the difficulty in knowing what equipment is on board and by whom and for what purposes personal data is being collected. Drones’ potential to invade the privacy of individuals is also acute, due to their ability to avoid obstacles and achieve unique viewpoints.
Criminal law provisions have to be taken into account when recording other people’s conversations or private spaces (ie, a house or private garden).
Regulations issued by ENAC (National Civil Aviation Entity) and on CCTV systems are also relevant.
The NIS Directive aims to improve cyber-security, increasing the level of security of networks and information systems with specific regard to services vital to the EU, as well as improving cooperation at EU level. Italy has implemented the NIS Directive with Legislative Decree 65/2018 (‘NIS Decree’), addressed to providers of essential services and key digital service-providers (such as search engines, cloud computing services and online marketplaces).
Digital service-providers shall comply with the Commission Implementing Regulation (EU) 2018/151, laying down rules for application of the NIS Directive as regards further specification for managing the risks and parameters for determining whether an incident has a substantial impact.
Other relevant laws include:
• Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market, repealing Directive 1999/93/EC (‘EIDAS Regulation’);
• Directive 2013/40/EU on attacks against information systems, replacing Council Framework Decision 2005/222/JHA;
• the Criminal Code;
• Legislative Decree 259/2003 (‘Electronic Communications Code’); and
• Legislative Decree 82/2005 (‘Digital Administration Code’ or ‘CAD’) and its implementing ministerial decrees.
ENISA is an advisory board for the EU on cyber-security issues, actively promoting a high level of network and information security.
ENISA actively liaises with the Multi‐Stakeholders Platform on ICT standardisation, an advisory expert group on all matters related to European ICT standardisation, as well as the CEN-CENELEC Focus Group on Cyber-security (CSCG), which was created by European Standardisation Organisations (CEN, CENELEC and ETSI) to provide support for the analysis of technology developments and the issuance of recommendations for international standard-setting.
The OSCE (Organisation for Security and Co-operation in Europe) is also active in cyber-security – its aim is to increase trust among Member States.
The Garante is in charge of receiving data breach notifications and checking the adequacy of the organisational and technical measures adopted to protect personal data, as well as to recommend actions and impose fines in the case of infringements.
The NIS Decree expressly requires the NIS Authorities (five ministries have been duly appointed in Italy) to consult and co-operate with the Garante.
Agid oversees the execution of the Italian digital agenda and compliance with the European digital agenda. Its tasks include the issuance of opinions, guidelines and technical rules, predominantly in the public sector.
Supervisory authorities, such as AGCOM, Banca d’Italia (the Central Bank of Italy) and IVASS (Institute for Private Insurances Supervision) are empowered to issue regulations and guidelines that might also concern cybersecurity (such as the Order of 17 December 2013 of Banca d’Italia, updated on 23 October 2018).
The CINI (Inter-university Consortium on Information Technology) is the main reference point for academic research on information technology. In partnership with CIS Sapienza (the Research Centre of Cyber Intelligence and Information Security of Sapienza Rome University), it regularly publishes reports on Italian cyber-security, addressing essential cyber-security controls.
The CLUSIT (Italian Association for Cyber Security) aims to increase awareness of cyber-security among companies, public authorities and private citizens.
Assinform, the national association of information technology companies operating in Italy, is a private association representing companies of all sizes and specialisations and acts as a bridge between the IT sector and the main public Italian authorities.
Unless otherwise provided, recognised standards are not compulsory requirements, but rather tools to be used by controllers to identify the appropriate security measures to be implemented.
The UNI (Italian National Unification Entity) is a private not-for profit entity, recognised by both the Italian government and the EU and having been conferred legal status, that issues voluntary technical standards concerning all business sectors. UNI represents Italy at both CEN (European Committee for Standardization) and ISO (International Organization for Standardization), both of which are standardisation bodies.
Among many others, the ISO 27000 series appears to be the preferred standard to infer data protection security measures.
Written information security plans and incident response plans may, on a case-by-case basis, be appropriate security measures to notify data breaches and to detect a breach. They can also be used to notify breaches to the Garante, when necessary, within 72 hours after having become aware of the breach, and to adopt any due measures to mitigate the consequences.
According to the Garante’s ‘Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator,’ issued in 2008 (as further amended), a ‘system administrator’ is “a professional in charge of managing and servicing a processing system and/or component thereof.”
This order provides for minimum provisions to be included in the appointment of a system administrator, and its consistency with the GDPR has been questioned. While waiting for an official decision from the Garante, many controllers are choosing to draft an appointment comprising compulsory elements of both a processor and a system administrator.
The board of directors (or the sole administrator) is the managing body of a company and is ultimately responsible for ensuring that appropriate measures are in place.
Internal risk assessments, vulnerability scanning, penetration tests and the like may be, on a case-by-case basis, appropriate security measures.
An insider-threat programme shall abide by the laws and principles concerning the control and monitoring of employees.
Vendors and service-providers shall be appointed only after a due check of their ability to provide sufficient guarantees to implement appropriate technical and organisational measures. Their compliance shall be monitored.
When processing personal data, they shall be appointed as processors and all relevant provisions shall apply.
Training is a general duty of employers towards employees. Cyber-security and data protection should be included in such training.
Italy is a party to all major multinational relationships relating to being a member of the EU.
The GDPR provides for some examples of security measures that shall not be minimum compulsory requirements, including pseudonymisation and encryption. Adherence to approved codes of conduct and certification mechanisms helps demonstrate accountability.
Material business data shall benefit from know-how protection measures, when applicable.
The NIS Decree shall be relied upon when dealing with critical infrastructures. Operators shall assess appropriate measures based on their activities, taking into account guidelines and standards (if any) issued by relevant EU and national authorities (such as ENISA).
Digital service-providers can rely also on Commission Implementing Regulation (EU) 2018/151.
There is no legal security requirement to prevent denial of service attacks. Reference shall be made to general principles and rules, as well as to recognised standards.
Data-breach and security incidents' reporting is governed by both the GDPR and the NIS Decree.
Under the GDPR, a personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In practical terms, a data breach is a type of security incident.
As to the NIS Decree, an incident means “any event having an actual adverse effect on the security of network and information systems,” and security of network and information system means “the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.”
All personal data may be the subject of a security incident or a data breach, which might be either a ‘confidentiality breach’ (in the case of disclosure), an ‘availability breach’ (in the case of loss of access or destruction), an ‘integrity breach’ (in the case of alteration), or all of the above.
No system is excluded from data breaches.
Two regulations must be mentioned – Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices. Both entered into force on 25 May 2017 but will apply after a transitional period of three and five years respectively.
Although the new rules are a step forward, they do not address security requirements in full detail. Reference shall thus be made to general data protection rules, especially those concerning ‘sensitive’ data, as well as to general standards (such as the ISO 27000 series, ISO 80001, ISO 14971, IEC 62304 and IEC 82304-1). Controllers and processors will have to assess the risks and implement adequate security measures to ensure protection, both by design and by default, according to the accountability principle.
ENISA guidelines should also be mentioned.
As with medical devices, Industrial Control Systems (such as SCADA) do not benefit from rules listing due to security requirements. General data protection principles, as well as general standards, shall help in the assessment.
ENISA has drafted a report listing most applicable standards.
No consolidated set of rules clarifies security requirements for the IoT.
Art29WP recommended the performance of security assessments of systems as a whole, the application of principles of composable security, the use of certification for devices and the implementation of internationally recognised security standards, taking into account all specific operational constraints. The data minimisation principle has to be strictly followed.
Controllers shall notify data breaches to the Garante "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons" (Article 33 of the GDPR). The term for the notification is 72 hours after having become aware of the breach.
As to the NIS Decree, the duty to notify incidents without undue delay applies to providers of essential services and key digital service providers. The notification shall be made to the CSIRT and to the relevant NIS Authority. The CSIRT shall forward the notification to the Information Security Department in charge of the prevention of and preparation for crisis situations, as well as to the activation of alert procedures.
The NIS Decree entitles entities that do not fall under its scope to notify, on a voluntary basis, security incidents having a severe impact on the continuity of the services provided, following the same procedure as the compulsory notification.
The data breach has to be communicated to data subjects, without undue delay, if it is "likely to result in a high risk to the rights and freedoms of natural persons" (Article 34 of the GDPR), or if it is required by the Garante. The aim is to provide individuals with information on the measures to take to protect themselves.
As to security incidents, the relevant NIS authority, in agreement with the Information Security Department and the CSIRT, and subject to prior consultation with the service provider affected by the incident, might inform the public (or require the service provider to inform the public) of each incident with the aim of raising awareness and preventing future incidents, or managing an incident already occurred.
Both the GDPR and the NIS Decree do not provide for the duty to notify the data breach to companies or organisations that are not directly concerned by the breach itself.
The criteria to understand whether a data breach has to be notified is the likelihood of “risk to the rights and freedoms of natural persons” – therefore risk is a trigger for notification. Based on the seriousness of the risk, the breach might also have to be communicated to each data subject affected by the breach itself. Art29WP and ENISA have provided guidelines on the assessment of risk.
As to the NIS Decree, the main criteria to understand whether an incident has to be notified is its effect on the security of network and information systems.
Network monitoring shall be permitted according to applicable data protection rules and principles.
The NIS Decree provides for the notification of security incidents to be forwarded to governmental authorities such as NIS authorities and CSIRT. These authorities might have to involve the relevant EU authorities, based on the severity of the incident.
In 2016, Uber suffered a severe data breach. During the investigation into the consequences of the breach for Italian citizens, the Garante ascertained that the information notice provided by Uber was not compliant with relevant data protection provisions and no consent had been collected to profile users for anti-fraud purposes. In addition, no notification for the geolocation data of Uber users had been made to the Garante, as required by the Privacy Code prior to the entry into force of the GDPR. An autonomous fining procedure was therefore started in December 2018 and is currently ongoing.
In May 2018, the Garante issued a fine of EUR160,000 to the main Italian telecom operator for a data breach that occurred in 2013. The breach, arising from a malfunctioning of services provided to clients, consisted of the disclosure of personal data to other clients due to a mistake in the matching of credentials with the data to be displayed.
In December 2018, the Garante ordered a major bank to notify data subjects of a data breach suffered a couple of months before and already communicated to the authority, granting a short timeframe to confirm such notification and the remedial actions taken.
After the entry into force of the GDPR, data breach notifications appear to have increased. From 25 May 2018 to 31 December 2018, 630 data breaches were notified to the Garante, whereas cyber-attacks increased by 500%.