1. Basic National Legal Regime
As regards personal data protection and cybersecurity, Italy's main law is the Personal Data Protection Code or Privacy Code (Legislative Decree No 196 of 30 June 2003: Codice in materia di protezione dei dati personali o Codice Privacy), which constitutes the transposition of directive 95/46/EC and directive 2002/58/EC, and repeals Law No 675 of 31 December 1996 (the very first Italian data protection law). The Privacy Code is the consolidated statute on both data protection and cybersecurity, and it is complemented by guidelines, recommendations, orders and codes of conduct issued and approved by the Italian Personal Data Protection Authority (referred to as Garante per la protezione dei dati personali or Garante).
In addition, and prior to, the Privacy Code, the Constitution of the Italian Republic (which lists all fundamental principles governing Italy) also provides for personal data protection: namely Article 2, stating that: "The Republic recognises and guarantees the inviolable rights of the person, as an individual and in the social groups where human personality is expressed." Moreover, Article 15 expressly qualifies as inviolable: "The freedom and confidentiality of correspondence and of every other form of communication," thus including electronic communication. General principles applying to data protection can also be found in the European Convention on Human Rights adopted by the European Court of Human Rights (namely Article 8, granting the right to respect for private and family life) and in the Charter of Fundamental Rights of the European Union (Article 7 concerns family life, whereas Article 8 expressly addresses everyone's right to protection of personal data); moreover, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the so-called "Convention 108") of the Council of Europe shall also be mentioned.
A number of other national laws may address specific categories of personal data, adding requirements for lawful processing. For instance: the processing of portrait photos is subject to both the Privacy Code and Copyright Law (ieLaw No 633 of 22 April 1941); video surveillance systems have to comply with both the Privacy Code and the so-called Statuto dei Lavoratori or Workers' Statute (ieLaw No 300 of 20 May 1970).
Save for the above, the basic principles governing personal data processing are found under Sections 3 and 11 of the Privacy Code. According to such principles, personal data shall be:
- processed lawfully and fairly (lawfulness and fairness);
- collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with said purposes (purpose limitation);
- accurate and, when necessary, kept up to date (accuracy);
- relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed (proportionality);
- limited to cases in which the purpose sought cannot be achieved by using either anonymous data or suitable arrangements to allow identifying data subjects only in the case of necessity (data minimisation); and
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (limited storage period).
Data subjects shall, in any case, be informed of the main features of the processing, prior to processing; if personal data is not collected directly from data subjects, an information notice shall be given at the time of recording such data or, if their communication is envisaged, no later than when the data is first communicated. Such information shall include, inter alia: the identity and the contact details of the controller; the purposes of the processing; the obligatory or voluntary nature of providing the requested data, and the consequences in the event of refusal; the recipients or categories of recipients of the personal data, and the scope of dissemination; the transfer of personal data to a third country; and a brief description of the rights granted to data subjects according to the applicable data protection laws.
The legal basis for processing is, in most cases, the consent of a data subject: however, the consent might not be necessary where any other lawful basis for processing applies (ieif the processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or else in order to comply with specific requests made by the data subject prior to entering into a contract).
Data controllers shall further process personal data in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Data processors, if any, shall be duly appointed in writing and given instructions by the data controller.
The Garante is the main authority in charge of verifying whether data processing operations are carried out in compliance with the laws and regulations in force. Such tasks shall be discharged, inter alia, by: asking data controllers, data processors, data subjects or third parties to provide information and produce documents; ordering data controllers or data processors to adopt such measures as are necessary or appropriate; prohibiting unlawful or unfair data processing operations, in whole or in part, or blocking such processing operations, and taking other measures as provided for by the legislation applying to the processing of personal data; giving opinions whenever required; and preferring information on facts and/or circumstances amounting to offences to be prosecuted ex officio, which it has come to know either in discharging or on account of its duties.
The Garante shall act either ex officio, or after receipts of reports and complaints lodged by other data subjects or the associations representing them. Investigations shall be carried out both through requests for information and documents and through access to data banks and performance of audits on the spot as regards premises where the processing takes place. The Privacy Unit of the Financial Police is the public authority that usually conducts such inspections on behalf of the Garante.
A plan of the future activities of the Garante is issued on a yearly basis: this document states the business field on which the investigations of the Garante are mainly focused in the relevant period.
1.3 Administration Process
Data subjects may apply to the Garante to point out an infringement of the relevant provisions on the processing of personal data; to call for a check on the mentioned provisions; or to lodge a complaint with a view to establishing the specific rights granted to data subjects by the applicable data protection law.
Any claim concerning data protection shall also be filed, alternatively and not cumulatively, to the civil courts (save for the fact that infringement of data protection provisions might result also in criminal offences). The two remedies differ in that: proceedings in front of the Garante do not require any formality, but the Garante is not entitled to provide for monetary compensation for damages; judicial proceedings have no fixed term, whereas the term provided to the Garante is 60 days from the date on which the complaint was lodged, to be extended by no more than 40 additional days if the enquiries are especially complex or the parties agree thereto (and, if no decision on the complaint is rendered within such a term, the complaint shall be regarded as dismissed).
A complaint filed to the Garante shall refer, with as many details as possible, to the facts and circumstances on which it is grounded; the date of the request made to the data controller; the remedies sought as well as to the identification data concerning the data controller and claimant; and the domicile of choice for the purposes of the relevant proceedings, including the address where communications shall be served. Any documents that may be helpful in evaluating the complaint must also be attached to it.
The Garante shall be responsible for communicating the complaint to the data controller within three days. The data controller may notify both the complainant and the Garante within ten days that he or she will voluntarily comply and, in this case, a declaration of no case to answer shall be returned. The data controller and the data subject have the right to be heard and submit pleadings or documents.
The Garante may order, also ex officio, that one or more expert assessments are carried out.
Measures taken following a complaint (or ex officio) shall include: the partial or total blocking of some of the data (also provisional, during proceedings), or the immediate termination of one or more processing operations; the order that the data controller abstain from unlawful conduct; and further remedies to enforce the data subject's rights and set a term for their implementation.
The decision may be challenged by the data controller or the data subject, as the case may be, by filing a petition to the judicial authority. Challenging shall not suspend enforcement of the decision.
1.4 Multilateral and Subnational Issues
Personal data protection has a high importance in the European Union (EU): aiming to grant the same level of personal data protection in the whole EU, national laws have been, at first, harmonised through Directive 95/46/EC and Directive 2002/58/EC, and then standardised, through the adoption of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the so-called General Data Protection Regulation or GDPR). The GDPR is binding and applicable as of 25 May 2016, but it becomes enforceable from 25 May 2018 after a two-year transition period.
Being a member of the EU, Italy shall abide by European regulations and directives and shall disapply any national laws inconsistent with EU rules and principles: this is why the Privacy Code is the transposition of Directive 95/46/EC and Directive 2002/58/EC, and this is why the Italian Government has been put in charge of the task of amending the Privacy Code in compliance with the new rules.
1.5 Major NGOs and Self-Regulatory Organisations
Among non-governmental organisations (NGOs), Federprivacy (Federazione Italiana Privacy or Italian Privacy Federation) must be mentioned. This association gathers privacy professionals and provides training on privacy issues.
Collective organisations representing specific categories of individuals for general purposes may draft codes of conduct, to be approved by the Garante.
1.6 System Characteristics
Italy is highly regulated, due to the fact that it follows the EU model: European systems are more developed than non-EU countries.
Compared to other Supervisory Authorities, the Garante is one of the most active in verifying and ensuring the compliance to data protection rules and principles.
1.7 Key Developments
In the last few months, no key developments have occurred in Italian national law or in the regulation field.
As anticipated, on 25 May 2018 the GDPR will enter into full force and effect: this means that, by this date, any EU Member State must implement due measures to ensure the effectiveness of the new rules, either by disapplying any non-consistent national law, or adopting any necessary new laws.
Ever since the adoption of the GDPR, Supervisory Authorities on a national level, and Article 29 Working Party (ie a group bringing together representatives of Supervisory Authorities of all EU Member States, as well as of the European Data Protection Supervisor and the European Commission; according to the GDPR, the Article 29 Working Party is going to be substituted by the European Data Protection Board) on a European level, have committed to ensuring the effective implementation of these issuing guidelines to data controllers and data processors to help with understanding and applying the new rules. The guidelines adopted so far by the Article 29 Working Party concern the right to data portability, data protection officers (DPOs), data protection impact assessments, the Lead Supervisory Authority, the application and setting of administrative fines , data breach notification and automated individual decision-making and profiling. Further guidelines have been drafted, but not yet adopted, and concern transparency, consent and adequacy referential.
In addition to guidelines concerning the GDPR, the Article 29 Working Party "Opinion 2/2017 on data processing at work" issued on 8 June 2017 has to be mentioned. Among other relevant issues, this document directs data controllers' attention to the fact that employees' consent is highly unlikely to be a legal basis for data processing at work, unless employees can effectively refuse without adverse consequences: indeed, employees are seldom in a position to give, refuse or revoke consent freely, given the dependency inherent in the employer/employee relationship.
As far as the transfer of personal data to non-EU Member States is concerned, in October 2017 the Irish Judges asked the European Court of Justice for a preliminary ruling on whether to strike down the data transfer mechanism used by Facebook (as well as by other tech groups) to transfer personal data of Facebook's European users to the United States, ie the so-called "standard contractual clauses": the awaited decision is going to have a huge impact on the legitimate grounds for data transfers among companies that are part of the same group.
1.8 Significant Pending Changes, Hot Topics and Issues
On 25 October 2017, with Law No 163, the Italian Government has been put in charge of amending – within six months – the Privacy Code as necessary to be consistent with the GDPR, in particular: repealing what is inconsistent with the new rules; co-ordinating the existing provisions with the GDPR; updating the Privacy Code to execute the provisions of the GDPR that are not directly applicable; and adjusting the penalty system. The Garante shall also issue any due decision to execute the GDPR properly.
At the end of January 2018, the European Commission issued its guidance on direct application of the GDPR (addressed mainly to citizens, business and organisations) and warned Italy: the concern is that Italy will not duly (ie by 25 May 2018) implement the GDPR in a timely manner.
The general principles governing data protection in the GDPR are basically the same as in the Privacy Code, with a higher attention to data controllers' accountability: therefore, no material changes are awaited.
This assumption has been confirmed by the Garante in its very first operative guide for the application of the GDPR: it is for this reason that most of the orders, guidelines and measures issued so far are likely to remain applicable; and it is for the same reason that the category of persons in charge of the processing, ie the natural persons that have been authorised by the data controller or processor to carry out processing operations (incaricati del trattamento), have already been confirmed. It must be noted that persons in charge of the processing are a peculiarity of the Italian system only, since their category has been added by Italian legislators to those of "data controllers" and "data processors" while transposing directive 95/46/EC (in other EU Member States, the category of "data processors" includes that of "persons in charge of the processing").
The Garante is going to issue draft agreements with data processors and joint controllers, and a formal repeal of the duty to notify certain processing operations is also awaited. As of today, clarifications on the role of DPOs have been issued only regarding the public sector, with a draft appointment agreement as well.
The GDPR has been adopted together with "Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA". This directive has to be transposed by 6 May 2018: the consequent amendments to the Privacy Code will affect Articles 53-58, concerning processing by the police and state defence and security.
As far as Italian national law is concerned, the so-called Registro delle Opposizioni (Opt-Out Register) has been amended with Law No 5 on 11 January 2018 – effective from 4 February 2018. This register collects, on a voluntary basis, data subjects' telephone numbers in case data subjects do not want their data processed for direct marketing or advertising purposes, or else for carrying out market surveys or interactive business communication. The main changes concern the possibility to include not only phone numbers, but also mobile numbers and, in both cases, irrespective of their being contained in publicly available paper or electronic directories, and the duty of data controllers to check, at least once a month, whether phone and mobile numbers have been included in the register, since a subsequent inclusion serves as waiver of the consent to processing.
Originally published by Data Protection & Cyber Security 2018, Chambers & Partners.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.