Although the General Data Protection Regulation ("GDPR") entered into force on May 25, 2018 ("GDPR Day"), many EU member states were late in taking steps to adopt domestic provisions in those areas where GDPR allowed them to do so. GDPR is leaving some room to member states in order to adjust the regulation to their legal system. The list of possible deviations is broad, ranging from restrictions and limitations to the processing of biometric, genetic and health data to the appointment of data protection officers.

In Italy, national measures were made through Legislative Decree No. 101/2018 (the "Decree"). The Decree was adopted on August 10, 2018, and entered into force on September 19, 2018, just one day after the start of the Milan Fashion Week.

We briefly touch some of the provisions of the Decree to figure out what would the Italian GDPR style may look like:

  • Minor consent: The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent.
  • Processing of biometric, genetic and health data: The Decree provides that specific conditions for the lawful processing of genetic data, biometric data or data concerning health will be adopted. The Italian Supervisory Authority is tasked with such adoption, at least every two years. Until then, the previously issued measures continue to apply (insofar as they are compatible with GDPR).
  • Limitation to data subject rights: Existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.
  • More sub-regulation(s) to come: In an number of areas—such as data processing for journalistic, academic or artistic purposes; processing within the framework of employment; and accessing public documents—sector sub-regulations will be adopted by the Italian Supervisory Authority. Prior to their adoption, they will be subject to public consultation.

As one can see, the Italian Supervisory Authority is still cutting the pattern for the Italian version of GDPR When the Italian collection hits the catwalk, one will be able to assess whether the Italian domestic framework will be a style worth stealing.

Elegance is not standing out, but being remembered (G. Armani).

21 September 2018

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.