The Italian regulatory framework on the protection of personal data and privacy is dictated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (GDPR). To the extent that such protection is not mentioned by the GDPR, it is regulated by Legislative Decree No 196/2003 (the “Privacy Code”).
Further detailed rules are contained in Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as transposed into Italian law by the Privacy Code.
With particular reference to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, the regulatory framework is instead governed by EU Directive 2016/680, transposed into the Italian legal system through Legislative Decree No 51/2018.
Finally, other specific indications and/or interpretations are contained in the decisions, recommendations and guidelines issued by the national supervisory authorities and the European Data Protection Board (eg, in Italy, the requirements for system administrators).
As mentioned in 1.1 Laws, supervisory authorities have limited regulatory power, mainly through the adoption of guidelines and opinions interpreting legal provisions. However, supervisory authorities (in Italy, the Autorità Garante per la Protezione dei Dati Personali – GPDP) also have supervisory powers to monitor compliance with data protection legislation, and benefit from investigative powers that include, ex multis, the possibility of requesting information from data controllers and data processors, or conducting on-site checks and inspections.
Data protection legislation may also be applied by the courts in the case of appeals lodged by individuals (particularly in the case of claims for damages or appeals against decisions of the supervisory authority).
As mentioned in 1.2 Regulators, GPDP inspections may be triggered by the authority itself (on the basis of an inspection plan adopted and published every six months, or following the notification of a personal data breach) or by data subjects or other third parties (in the case of complaints or reports).
In the event of a complaint by a data subject, the GPDP shall verify the correctness and completeness of the complaint and, if necessary, grant the complainant a period of time to amend it, normally not exceeding 15 days. In the event of a correct and complete complaint (or in the event of an investigation on its own accord, such as following the notification of a personal data breach), the GPDP shall start a preliminary investigation during which the documentation received is examined and/or further information is requested from the data controller or data processor.
In that scenario, inspections may also be carried out, during which the entity subject to inspection may be assisted by its trusted advisers and reserve the right to produce the documentation that is not immediately available within a reasonable period (as a rule, not exceeding 30 days). A record of the activity carried out shall also be drawn up, with particular reference to the statements made and the documents acquired, and a copy shall be given to the subject under inspection.
Closing of the Preliminary Investigation and Archiving
At the end of the preliminary investigation, the competent department within the GPDP may conclude its examination of the complaint by archiving it, when:
In the case of a complaint, feedback is provided to the applicant, briefly stating the reasons why no action is taken.
Initiation of Proceedings
If the matter is not dismissed following the preliminary investigation, the competent department shall initiate proceedings for the adoption of measures by the board of the GPDP, by means of its own communication to the data controller and/or data processor. The communication shall contain:
Right of Defence
The addressee of the notice may exercise the right of defence by submitting written statements and documents within 30 days from the date of notification of the communication, as well as a personal testimony regarding the facts of the notice, where requested.
The addressee of the notice may request a short extension by specifically and duly motivating the request. The extension shall normally not exceed 15 days, and may be granted according to proportionality criteria and criteria relating to the operational/dimensional characteristics of the addressees themselves and to the complexity of the matter under examination. The addressee of the notice may also request a hearing before the GPDP.
Failure to submit written counter-arguments or a request for a hearing shall not prejudice the continuation of the proceedings.
Where necessary, the board of the GPDP, by its own resolution, shall adopt the corrective and sanctioning measures referred to in Article 58(2) of the GDPR (in the case of an administrative pecuniary sanction, the quantum is calculated on the basis of the criteria indicated by Article 83 of the GDPR). The decision is notified to the parties by the department, service or other organisational unit that has supervised the preliminary investigation.
Appeal Against Measures of the GPDP
Under penalty of inadmissibility, an appeal against the measures adopted by the GPDP must be lodged within 30 days from the date of communication of the decision or within 60 days if the appellant resides abroad, with the ordinary court of the place where the data controller resides, or with the court of the place of residence of the data subject. At the time of the appeal, it is also possible to request the court to suspend the enforceability of the contested decision.
The so-called “work ritual” applies to the judicial procedure, and the sentence that defines the judgment is not appealable before the judge and may prescribe the necessary measures and compensation for damages.
With regard to multilateral agreements with countries outside the European Economic Area, the adequacy decisions adopted by the European Commission pursuant to Article 45 of the GDPR must be taken into account (see 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers for more detail) to legitimise a transfer of personal data.
On the other hand, any local provisions in force in the individual member states are legitimate only where the GDPR provides for local legislation (eg, in the case of limitations on the processing of particular categories of personal data or the processing of personal data in the context of the employment relationship).
These entities do not have an expressly defined role in data protection legislation but may operate as bodies that protect the rights of data subjects and whose activity is aimed at promoting compliance with data protection principles through the promotion of complaints and judicial remedies (eg, NOYB – European Center for Digital Rights), or as professional associations supporting them (eg, IAPP – International Association of Privacy Professionals). There are also bodies aimed at promoting study, research and innovation in the field of personal data protection, such as the Italian Privacy Institute or the European Centre for Certification and Privacy (scheme owner of the EuroPrivacy certification pursuant to Article 42 of the GDPR).
The main objective of the European legislator – achieved with the GDPR and in progress as far as the electronic communications sector is concerned – was to harmonise personal data protection regulations among the various member states, with a view to simplifying and facilitating the circulation of data and the internal market. Moreover, the GDPR has given rise to a shift away from a merely formal compliance model (based, for instance, on checklists and lists of universally valid security measures) to a substantial and flexible model. In other words, by requiring them to assess, identify and adopt the security measures appropriate to their own entities, and also in view of the available technologies and the relevant costs, data controllers can well adapt to any sector and be considered up-to-date, even in light of technological developments.
It is therefore not surprising that the GDPR is taken as a model for all new data protection legislation, and that a debate has arisen in the US as to whether a federal regulation of the subject is appropriate.
One of the main issues addressed in the last 12 months is the legitimacy of the use of Google Analytics cookies in light of the transfer of personal data to the US, despite the activation of the IP address anonymisation feature. This has led to an acceleration of the migration towards the new solution offered by the provider (Google Analytics 4), whose legitimacy (as well as that of the solutions offered by alternative providers) also had to be assessed in light of the technical measures to prevent the transfer of personal data (eg, proxification).
A closely related issue was the activity following the complaints lodged by NOYB – European Center for Digital Rights against the operators of thousands of European websites accused of violating personal data protection principles (in particular, those of transparency and freedom of consent) through the use of so-called dark patterns.
A major topic that is fuelling the debate is the monetisation of personal data and the possibility for data subjects to use personal data as a counter-performance as payment for goods and services. This issue will also be the subject of particular attention in light of:
A second theme is likely to be the gradual abandonment of third-party cookies in favour of so-called cookie-less solutions or alternatives based exclusively on first-party cookies for targeting and advertising.
Data Protection Officer (DPO)
Pursuant to Article 37 of the GDPR, as interpreted by the supervisory authorities' guidelines, the appointment of a DPO is mandatory for public administrations or where the main activities carried out by the data controller or data processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale or the processing on a large scale of special categories of data and personal data relating to criminal convictions and offences. In addition, the European guidelines make it clear that data controllers and data processors must document their assessments as to whether or not to designate a DPO and periodically review this assessment, unless it is evident that an organisation is not required to designate a DPO.
The tasks of the DPO are set out in Article 39 of the GDPR and consist of:
In the performance of their tasks, the DPO shall have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Lawfulness of Processing
Any processing of personal data must be based on at least one of the following legal bases provided for in Article 6(1) of the GDPR:
Data Protection by Design and by Default
Both at the time of the determination of the means for new processing and at the time of the processing itself, the data controller shall implement appropriate technical and organisational measures that are designed to implement data protection principles and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. At the same time, the data controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed.
Data Protection Impact Assessment
Pursuant to Article 35 of the GDPR, where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, particularly processing using new technologies, and taking into account the nature, scope, context and purposes of the processing, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, prior to the processing. This activity is especially required in the following:
The supervisory authorities have also identified a further criterion for assessing the need for a DPIA; in fact, they have identified nine risk factors and provided for the obligation of such an activity when a processing operation presents two or more of them. This approach was also used to draw up the blacklist of processing operations that the supervisory authorities locally require to be subject to a DPIA.
This assessment shall contain at least the following:
Where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate such risk, the controller shall consult the supervisory authority prior to processing.
Internal and External Privacy Policies
A corollary of the transparency principle is the obligation for data controllers to inform data subjects about the processing of personal data, providing them with the information required by Articles 13 and 14 of the GDPR. For data collected directly from the data subject, this must be done at the time the data is obtained and at the time of the first contact with the data subject, or within 30 days in the case of data that is not provided directly by the data subject. In the second case, the information does not need to be provided to the data subject when:
Data Subjects’ Rights
Data subjects have certain rights under the GDPR in order to allow them to have continuous and effective control over their personal data. In particular, data subjects have the right to:
Anonymisation, De-identification and Pseudonymisation
Anonymisation and pseudonymisation are two processing operations aimed respectively at excluding or reducing the ability of information to be attributed to a specific data subject. The former makes such subsequent re-identification impossible and therefore aims to exclude the applicability of data protection provisions on the resulting output (the so-called anonymised data).
The second is instead a security measure expressly referred to in Article 32 of the GDPR and defined as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
Automated Individual Decision-Making
As anticipated, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the subject or similarly significantly affects them. It does not apply if the decision is:
In the first and last cases, the data controller shall implement suitable measures to safeguard the data subject's rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision. In addition, the data controller shall provide the data subject with information about the existence of automated decision-making, including profiling, and with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
“Injury” or “Harm” in Data Protection Law
From a data protection perspective, it is necessary to pay attention to the risk to the rights and freedoms of natural persons in terms of physical, material or non-material damage, particularly where the processing may give rise to discrimination, identity theft or fraud, financial loss, reputational damage, the loss of confidentiality of personal data protected by professional secrecy, the unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
In addition to the legal bases listed under Article 6(1) of the GDPR indicated in 2.1 Omnibus Laws and General Requirements, a distinction must be made between the following.
In Italy, the general rule is set out by Article 130(1;2) of the Privacy Code (which transposes Directive 2002/58/EC), under which commercial and promotional communications by email, fax, telephone and similar means of communication require the prior consent of the user (natural or legal person). However, Article 130(4) provides for an exception to the requirement of consent, allowing for the processing of the email address provided by the data subject in the context of the sale of a product or a service for the purpose of sending commercial communications aimed at the direct sale of products or services similar to those already purchased, provided that the data subject has been adequately informed and does not refuse such use, either initially or on the occasion of subsequent communications.
With specific regard to telephone marketing activities, Article 130(3-bis) provides that data controllers may lawfully contact all users who have not objected to receiving commercial communications by telephone by registering in the Register of Opposition. In this sense, pursuant to Law No 5/2018, users may enlist in the register in order to prevent subsequent communications and, at the same time, withdraw any consent previously given to the processing of their personal data for telephone marketing purposes. In fact, the data controller who intends to carry out telemarketing activities is required to consult the register at least every 15 days or, in any event, before the start of a new campaign.
On the other hand, online marketing may consist primarily of an activity carried out through the use of profiling and advertising cookies (see 2.2 Sectoral and Special Issues), or of behavioural advertising and targeting activities carried out through the use of external databases (especially those of social networks). In this second case, the jurisprudence of the Court of Justice of the European Union and the interpretation provided by the EDPB in Guidelines 8/2020 clarify the need to carry out the activity on the basis of the prior consent of the data subject and, as a general rule, to reconstruct the privacy roles between the company and the social network as joint controllers of the processing to be regulated under Article 26 of the GDPR.
Processing carried out in the employment context is one of the sectors to which the GDPR defers to its regulation under national law, without prejudice to certain common guidelines and orientations first shared by WP29 and then by the EDPB, specifically regarding the vulnerable position of the data subject employee vis-à-vis the data controller employer (a situation that results in the presumption of the invalidity of any consents requested from the employee due to a lack of freedom).
Managing the Selection Process and the Employment Relationship
In these phases, the employer's activities must respect – more than ever – the principle of minimisation, ensuring that only personal data that is essential for the performance of work duties and that, to a large extent, is governed by labour law provisions (eg, Article 8 of Law No 300/1970 or Legislative Decree No 81/2008) is requested from the candidate or employee.
Remote Monitoring of Workers
Without prejudice to a general prohibition on the use of instruments to monitor employee activities, this case is governed by Article 4 of Law No 300/1970, which legitimises the use of such tools solely for organisational purposes and the protection of company assets (eg, cybersecurity purposes). In this case, without prejudice to instruments that are essential and prearranged for the performance of work duties, the use of instruments for remote monitoring is permitted only if doing so is:
In these cases, the employee data subject will have to be provided with additional and detailed information on what is normally provided for under Articles 13 and 14 of the GDPR; this can be done by adopting an internal regulation on the use of IT tools, for example, which also informs employees of the possible controls and their purposes.
However, although the agreement with trade union representatives or administrative authorisation is sufficient to legitimise the activity from the point of view of labour law, this does not exempt the employer from complying with the principles on the protection of personal data (eg, the principle of minimisation). In this sense, unencrypted or clear monitoring of the URLs surfed by employees is unlawful because, in terms of security purposes, the same results can be achieved by implementing filters that inhibit the surfing of potentially risky websites. On this point, see also the Guidelines adopted by the GPDP on 1 March 2007.
Whistle-Blowing and the Transparency Decree
The national legislation on whistle-blowing is currently being updated to transpose Directive (EU) 2019/1937. Pending the new provisions, in Italy the reporting of possible wrongdoing is limited exclusively to the violation of certain legal provisions, and is regulated differently between the private and public sectors (eg, only in the latter case must a reporting channel be provided to guarantee the anonymity of the reporter). With regard to the protection of personal data, the general principles dictated by the GDPR remain valid, concerning the obligations to set up reporting and management processes in compliance with the principles of privacy by default and by design, carry out a DPIA on the processing, limit the storage of information, etc.
Further obligations (mainly informative) are also imposed by Legislative Decree No 104/2022 (the so-called “Transparency Decree”), which prescribes the need to carry out a DPIA and to provide additional information to data subjects in the event of “the use of automated decision-making or monitoring systems designed to provide indications relevant to the recruitment or assignment, management or termination of the employment relationship, the assignment of tasks or duties, as well as indications affecting the monitoring, assessment, performance and fulfilment of contractual obligations of workers.”
Economic Administrative Fines
Please see 1.3 Administration and Enforcement Process regarding the internal procedure of the GPDP aimed at adopting sanctioning measures, which states that the administrative pecuniary fines provided for by Article 83 of the GDPR only have a maximum amount equal, depending on the type of infringement, to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, or equal to EUR20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In addition, when considering the quantum of the administrative fine, the supervisory authority shall also take into account all the circumstances set out in Article 83(2) of the GDPR.
According to Articles 78 and 79 of the GDPR, there are no standards that provide for an authorisation for judicial protection, but this can be promoted:
In this regard, it is worth taking note (with particular regard to the first point) of the court's annulment of the decision adopted by the GPDP against Enel Energia SpA on 16 December 2021. On the other hand, there are still some doubts regarding the interpretation of the possibility of resorting to the institutions currently included in the Code of Civil Procedure with regard to the protection of personal data protection rights by means of so-called class actions.
Legislation about the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, is provided by EU Directive 2016/680 and Italian legislative Decree No 51/2018. The different ways in which data and information are collected by the authorities are regulated by the Civil and Criminal Procedure Codes and, as a rule, require the approval of the judge.
Please see 3.1 Laws and Standards for Access to Data for Serious Crimes.
Please see 4.6 Limitations and Considerations regarding foreign government access requests. Italy does not participate in a Cloud Act agreement with the USA.
Italian data protection legislation does not provide for the possibility of indiscriminate access to personal data by government authorities; in fact, their activities must be based on compliance with the principles dictated by Article 5 of the GDPR, as well as compliance with those obligations expressly provided for by law pursuant to Articles 6(1)(c) of the GDPR and 2-ter of the Privacy Code.
However, there has been no lack of concern or debate in the public domain about the possibility of access to personal data in the case of the creation of large databases (eg, in the case of systems used for electronic invoicing or in case of the Immuni App for preventing the spread of COVID-19), but in all these cases the legal provisions prohibited the scenario.
European data protection legislation requires that any transfer of personal data that is undergoing processing or is intended for processing after transfer to a third country or to an international organisation (including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation) shall take place only if the level of protection of natural persons guaranteed by the GDPR is not undermined.
This therefore requires an examination of the legal provisions applicable to the third country or international organisation in order to understand the actual level of protection of personal data, taking into account the elements specified in Article 45(2) of the GDPR. This analysis is carried out by the European Commission when it adopts the adequacy decisions referred to in Article 45 of the GDPR (decisions legitimising the transfer of personal data to the country or organisation benefiting from it).
In the absence of an adequacy decision, as clarified by the Court of Justice of the European Union in its judgment of 16 July 2020 (the “Schrems II” judgment), this assessment is instead the responsibility of the data controller or data processor who is intending to export the personal data. In such a case, where the law in force in the third country or applicable to the international organisation does not guarantee an adequate level of protection of personal data, the transfer may only be carried out subject to the adoption of additional security measures suitable to mitigate the risks to the rights and freedoms of the data subjects (eg, encryption of the data prior to the transfer in order to exclusively share encrypted data).
According to Chapter V of the GDPR, the transfer of personal data to third countries and international organisations may take place on the basis of an adequacy decision as provided for in Article 45, an appropriate safeguard as provided for in Article 46, or one of the derogations set out in Article 49.
Adequacy Decision (Article 45 of the GDPR)
Taking into account the elements indicated in 4.1 Restrictions on International Data Issues, the European Commission may adopt adequacy decisions recognising that the level of protection of personal data guaranteed within the third country or international organisation is not inferior to that provided for in the GDPR. Adequacy decisions are also subject to periodic review (at least every four years), taking into account any internal regulatory developments or agreements of the third country or international organisation.
To date, 14 adequacy decisions are in force (Andorra, Argentina, Australia, Canada, Faroe Islands, Japan, Guernsey, Israel, Isle of Man, Jersey, New Zealand, the United Kingdom, Switzerland and Uruguay), while the proposal for a new adequacy decision in favour of the United States is subject to consultation.
Appropriate Safeguards (Article 46 of the GDPR)
In the absence of a decision pursuant to Article 45, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. These appropriate safeguards are:
Derogations for Specific Situations (Article 49 of the GDPR)
In the absence of a decision pursuant to Article 45 or appropriate safeguards pursuant to Article 46, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only under one of the following conditions:
As a residual measure with respect to all the above-mentioned hypotheses, a transfer to a third country or an international organisation may take place only if:
In this case, the controller shall inform the supervisory authority of the transfer and shall inform the data subject of the transfer and the compelling legitimate interests pursued.
Notification to the supervisory authority is only required in the case of transfers pursuant to Article 49(1)(2) of the GDPR. This is the case when no other means can be used to legitimise the transfer and requires that the transfer:
European legislation on the protection of personal data does not provide for any obligation to store data within a specific member state or the EEA, aiming, on the contrary, to regulate and facilitate the free movement of such data. In the case of transfers of data to third countries, however, the provisions of Chapter V of the GDPR apply in order to guarantee an adequate level of protection of personal data (see 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers.
There is no obligation stipulated under European data protection law to share data, software code, algorithms or other technologies with government authorities.
Without prejudice to other grounds for transfer pursuant to Chapter V of the GDPR, Article 48 of the GDPR provides that “any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.”
Moreover, Article 50(b) of the GDPR states that “in relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms.”
There are no “blocking” statutes in the European data protection legislation in addition to those described in the previous sections concerning the transfer of data outside the EEA.
Most of the topics indicated are not yet subject to specific legal provisions but are regulated on the basis of the general principles dictated by the GDPR and European legislation, and on the basis of national or European guidelines, opinions, white books, etc. Without prejudice to what is stated in 2.2 Sectoral and Special Issues with regard to the processing of biometric data and localisation, it seems useful here to refer to Law No 205/2021 as converted into Decree Law No 8/2021, which prohibits the installation and use by public authorities or private entities of video surveillance with facial recognition systems operating through the use of biometric data in public places or places open to the public, until 31 December 2023.
On the other hand, with regard to the regulation of big data, reference is made to the fact-finding investigation carried out by the Italian Data Protection Authority in co-operation with the antitrust and telecommunications authorities, as reported in a document jointly published on 2 July 2019. In addition to setting out recommendations and guidelines for the legislator, the document also envisages the creation of a permanent co-ordination mechanism between the three competent authorities.
Italian data protection legislation does not expressly require the creation of internal committees or protocols to manage digital governance. However, in practice, it is often the case that such committees will act in support of or in collaboration with the DPO.
Please see 1.3 Administration and Enforcement Process and 2.5 Enforcement and Litigation.
The value of personal data and consent databases as a corporate asset is often underestimated in corporate transactions. In this context, with regards to the sector in question, the main activity may consist of verifying the lawfulness and correctness of the processing of personal data that makes up a company's databases; this can be done by verifying the correctness and completeness of the information that the data controller had to provide to the data subjects pursuant to Articles 13 and 14 of the GDPR, and by examining the evidence of compliance with this information notice obligation.
Furthermore, where the processing of personal data is based on consent (eg, in the case of processing for promotional purposes or in the context of scientific research), it is essential to verify the correctness and ability to prove the consents collected from the data subjects and the effective capacity of the systems to receive any requests for withdrawal and/or opposition.
From a data protection point of view, data controllers and data processors who adhere to a code of conduct pursuant to Article 40 or who benefit from certification pursuant to Article 42 may make public such adherence or certification; however, there is no obligation to disclose risk profiles.
In terms of cybersecurity legislation, the national provisions on Network and Information Security provided by Legislative Decree No 65/2018 (adopted in transposition of EU Directive 2016/1148) required subjects falling within the scope of application to co-operate with government authorities (ministries and national cybersecurity agency) to share information on and approaches to the risks and measures taken.
As provided in 1.8 Significant Pending Changes, Hot Topics and Issues, the coming period will be characterised by a debate regarding the monetisation of personal data, a phenomenon that will necessarily entail a dialogue with competition and consumer protection law (already initiated by EU Directive 2019/770). This will be even more apparent once the new European regulations that are to strengthen the Digital Single Market come into force, introducing a regulatory framework that cannot be evaluated separately, but rather requires a comprehensive overview.
There are no other significant issues.
Via Borgonuovo 12
+39 email@example.com www.ictlc.com
Transparency Decree: New Obligations for Data Controllers in the Employment Context
Italy has recently transposed Directive (EU) 2019/1152 of the European Parliament and of the Council of 20 June 2019, on transparent and predictable working conditions in the European Union, with the adoption of Legislative Decree 27 June 2022, No 104 (the “Transparency Decree”). The objective of both the Directive and the Transparency Decree is the improvement of working conditions, by promoting more transparent and predictable employment while ensuring labour market adaptability. In order to do this, the Transparency Decree – which became applicable on 13 August 2022 – lays down new transparency obligations aimed at both public and private employers, for the benefit of their employees.
In particular, the Transparency Decree has amended the pre-existing Legislative Decree 26 May 1997, No 152, which generally regulates the matter of employees’ transparency rights vis-à-vis the employer, introducing a new article 1-bis entirely dedicated to transparency in the context of automated decision-making or monitoring systems used by the employer.
Scope of application
The new provision applies when the employer makes use of “automated decision-making or monitoring systems designed to provide relevant information for the purpose of hiring or conferring the assignment, management or termination of the employment relationship, assignment of tasks or duties, as well as indications affecting the supervision, evaluation, performance and fulfilment of contractual obligations of workers.” The Italian Ministry of Labour and Social Policies has provided some clarifications on the scope of application, through Ministerial Provision of 20 September 2022, No 19.
On the one hand, according to the Ministry, with the expression “automated decision-making or monitoring systems”, the legislator aims to regulate those tools that are able to generate automated decisions through the collection and processing of data carried out through algorithms, artificial intelligence and similar means, even when there is a merely ancillary human intervention in the decision process. On the other hand, the “indications affecting the supervision, evaluation, performance and fulfilment of contractual obligations of workers” are to be interpreted in the context of the use of automated systems such as tablets, digital devices and wearables, GPS and geo-locators, facial recognition systems, rating and ranking systems, etc.
As for the subjective scope of application, the Transparency Decree applies not only to employers who establish full-fledged employment relationships, but also to those leveraging more flexible forms of working relationships, as better detailed in paragraph 7 of Article 1-bis.
New transparency obligation for employers
Where the scope of application of the provision is fulfilled, the Transparency Decree provides the right for workers to receive information on:
Regarding recipients of the information rights, the Transparency Decree mandates the employer to provide information not only to the individual workers involved in the activities, but also to the company’s trade unions or, where those are not present, to national unions. The information shall, in any case, be provided in a structured, commonly used and machine-readable format, similar to the format required under the right to data portability under Article 20 of the GDPR. Any relevant change affecting the information already provided shall be communicated to the worker at least 24 hours in advance of the change taking place.
Aside from the “passive” information rights outlined above, the Transparency Decree gives the worker a subjective right to obtain access to the data, and to obtain further details in addition to the information already provided. This right can be exercised directly by the worker, or through the relevant trade unions, and the employer then has 30 days to provide a response.
Finally, the Transparency Decree provides further ancillary obligations for the employer, building on and specifying the obligations already provided for by the GDPR. In particular, the employer is required to:
Relationship with the GDPR
After having examined the new rights and obligations laid down by the Transparency Decree, it is interesting to note their relationship with the existing provisions of the GDPR. On a general level, it should be noted that the Italian Transparency Decree (ie, a member state’s national legislation) is allowed to derogate from EU law that already governs the field, thanks to Article 88 of the GDPR, as the new legislation provides for “more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context.”
Indeed, the Transparency Decree goes above and beyond the already existing GDPR transparency obligations: aside from requiring the provision of further information and details as stated in Articles 13 and 14 of the GDPR, the Transparency Decree has widened the recipients of the information to include not only the individual data subject (ie, the worker) but also the trade unions. Moreover, as seen above, the Transparency Decree establishes more stringent timing requirements for the provision of information than the GDPR: this can particularly be seen regarding the additional right of access granted to the worker, where the new legislation establishes a non-extendable deadline of 30 days, while the one-month period required by the GDPR can be extended by two further months if the requirements of Article 12 of the GDPR are met.
However, it is also apparent that many – though not all – of the obligations provided by the Transparency Decree are overlapping or at least quite similar with those of the GDPR. As a result, those employers who already have an advanced level of GDPR compliance are likely to be already fulfilling those obligations; one can think, for example, of the data protection impact assessment requirements, or the obligation to update the records of processing activities. In this respect, even where the Transparency Decree goes beyond the GDPR (such as when requiring the provision of information on cybersecurity measures), an attentive employer could leverage its existing data protection documentation and practices to facilitate compliance, especially in relation to data mapping and security requirements under Articles 30 and 32 of the GDPR.
Lastly, it should be noted that the Transparency Decree operates without prejudice to already existing Italian law provisions on the protection of workers' personal data, as enshrined within Article 4 of Law 20 May 1970, No 300, which regulates and limits the possibility for the employer to control workers’ activities through technological means.
Potential sanctions for non-compliance with the Transparency Decree can range from EUR100 to EUR750 for each month of non-compliance, for each worker involved. The amount increases to EUR400 to EUR1,500 if the non-compliance refers to more than five workers, and ranged from EUR1,000 to EUR5,000 if the violation concerns more than ten workers.
Moreover, given the close interrelation between the Transparency Decree and the GDPR, it is possible that a single action or omission of the employer entails a breach of both legislative instruments. In this case, the employer might incur both the above-mentioned pecuniary sanctions and those of the GDPR, which can be as high as EUR20 million or, for companies, 4% of global annual turnover, whichever is higher.
Data Protection Enforcement and Guidance in Italy
Article 51 of the GDPR provides that “Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.” Under Article 58 of the GDPR, the supervisory authority is granted a wide range of investigative, corrective, authorising and advisory powers, notably including the possibility to levy pecuniary fines and impose a temporary or definitive ban on the processing of personal data.
In Italy, the competent supervisory authority is the Garante per la Protezione dei Dati Personali (Garante or GPDP), whose decisions can be appealed by applying to the ordinary tribunal on second degree, and to the Supreme Court of Cassation on third degree.
The GPDP is widely considered to be one of the most active and influential supervisory authorities, having issued – as of 15 November 2022 – 201 fines, for a total of EUR141,037,096. This places Italy behind only Spain in terms of the number of sanctions issued, with the Spanish Supervisory Authority having issued 548 sanctions, but levying a total amount of EUR57,527,790.
The GPDP has issued fines and leveraged its corrective powers – including the imposition of a ban on processing – towards most GDPR areas and industry sectors. However, the Authority seems to focus its attention on certain aspects of the GDPR over others.
Trends in enforcement
Traditionally, the GPDP has been especially concerned with combating unlawful telemarketing practices, particularly regarding transparency and consent requirements, as well as the engagement of call centres as data processors without the necessary data protection safeguards, including the performance of audits by the data controller. In this field, the Garante has issued some of its highest sanctions ever published, such as those against Eni Gas e Luce (issued on 11 December 2019, for a total amount of EUR11.5 million), Tim (issued on 15 January 2020, for a total amount of EUR27.8 million) and Sky Italia (issued on 16 September 2021, for a total amount of EUR3.2 million).
More recently, the Garante has focused its attention on the protection of the data privacy rights of children, as apparent from the enforcement actions undertaken against the popular social network TikTok concerning data verification requirements. On 22 January 2021, following the highly publicised death of a ten-year-old girl from Sicily participating in a “blackout” challenge, the GPDP imposed an immediate limitation on data processing concerning users “whose age could not be established with full certainty so as to ensure compliance with the age-related requirements.” On 3 February 2021, the Italian DPA noted that, following the enforcement action, TikTok committed to fulfilling GDPR age verification requirements by taking a number of actions, including:
Another field where the Garante has recently focused its attention is that of data transfers outside of the European Economic Area, with specific regard to the requirements stemming from the Schrems II judgment.
The first noteworthy enforcement action in this respect was undertaken by the Garante against a private university. The sanction, issued on 16 September 2021, concerned the use of cloud-based facial recognition software provided by the US company “Respondus Inc.”, aimed at ensuring that students did not cheat when undertaking remote exams. The GPDP fined the university EUR200,000 for a number of GDPR violations, including the lack of appropriate safeguards for transferring data to the United States beyond the use of the European Commission’s Standard Contractual Clauses, in violation of the requirements set forth by the Schrems II ruling and the EDPB’s Recommendations 1/2020.
Further actions of the GPDP in the field of data transfers have concerned, most notably, the use of the popular Google Analytics service by Italian-based website publishers. In particular, on 9 June 2022 the Garante issued a reprimand to Caffeina Media S.r.l. highlighting, in particular, that US-based agencies may access the personal data being transferred to Google via this service. The GPDP pointed out in this regard that the measures adopted by Google to supplement the Standard Contractual Clauses already in place with the website operator did not ensure an adequate level of protection for users’ personal data, in light of the guidance provided by the EDPB through its Recommendations 1/2020. As a result, US authorities could virtually obtain access to data, even if Google Analytics claims to have never received an access request. The Authority therefore ordered the operator to bring the processing activity into compliance with the GDPR within 90 days, by dismissing Google Analytics or adopting – if feasible – additional safeguards aimed at preventing any possibility of access to the data by US authorities.
This first action was followed a few weeks later by the issuing of two further reprimands against other website publishers: ilmeteo.it S.r.l. on 7 July 2022 and Fastweb S.p.A. on 21 July 2022. In both cases, similar to the previous one, the GPDP gave the publishers 90 days to bring the processing into compliance with the GDPR.
Standardised icons for clearer privacy notices
Under Article 12 of the GDPR, the data controller is required to provide data subjects with the necessary information on the processing of their personal data “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.” In order to achieve this result, Article 12 further recommends that such information “may be provided in combination with standardised icons in order to give, in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.”
Although not mandatory, the use of icons under the GDPR is therefore a good practice, which can help data controllers to achieve the high transparency requirements set by the GDPR, proactively demonstrating compliance in light of the principle of accountability. This is especially true in complex data processing operations and/or where the information is specifically addressed to a child, as the use of standardised icons can help boost the understandability and overall transparency of privacy notices.
Against this background, in March 2021 the GPDP launched a contest called “Easy privacy information via icons? Yes, you can!”, aimed at stimulating the development of a standardised set of icons by software developers, tech professionals, experts, lawyers, designers, university students, and anyone interested in the topic. On 15 December 2021, the Garante published the three sets of icons deemed to be most effective on its website, based on the following criteria:
The three winning projects are currently available on the GPDP’s website and can be freely used by any data controller who wishes to render its privacy notices more transparent.
Via Borgonuovo 12
+39 firstname.lastname@example.org www.ictlc.com