After our first update on the reformed Italian Data Protection Code (DPC), we decided to write down a FAQ list concerning the most common questions received from clients and colleagues on the relationship between GDPR and the new DPC.
1. Which parts of the old DPC are going to be repealed?
All those implementing Directive 95/46/EC or in any case incompatible with the general regulatory framework set forth under the GDPR will be repealed. This means that the new DPC is going to be much shorter than it was before, although some provisions still have their degree of complexity.
2. How many data protection laws / regulations sources should we consider now?
This may depend on the sector where a controller/processor operates (e.g., public administration, healthcare, electronic communications, etc.). However, in general it is advisable to take into account: (i) the GDPR; (ii) the new DPC; (iii) leg. decree no. 65/2018 implementing EU Network and Information Security systems Directive in the Italian legal system; (iv) the Garante's past guidelines and authorizations; (v) national and European courts' case law; and (v) EU regulators' (i.e., WP29, EDPS and EDPB) opinions, decisions, statements and guidelines.
3. Are ePrivacy rules on marketing and online tracking going to remain the same or not?
The new DPC maintained the ePrivacy rules as they were set in the former DPC. This is likely to remain the same until the upcoming ePrivacy Regulation is approved and comes into effect (most likely in late 2019).
4. Which areas are left to the intervention of the Garante?
The Garante has been granted space for intervention by the GDPR with regard to the following:
- Processing activities falling under legal obligations according to national law
- Processing activities performed in the public interest by both public and private entities
- Processing of health related, genetic and biometric data
- Processing of personal data for journalistic, academic and artistic purposes
- Processing activities performed in the context of an employment relationship
- Processing activities performed for statistic, scientific and research purposes
- Processing activities subject to secrecy obligations
- Processing activities performed by religious associations
Currently the Garante issued no official statement concerning how it will further address the above areas or whether an order of priority is set.
5. What is going to happen to the Codes of Conduct attached to the former DPC?
Some of the Codes of Conduct referred to in the old DPC (i.e., use of commercial information and payment checks) will continue to produce their effects, passing through a one-year path from the entry into force of the new DPC subject to the Garante's review. With regard to the other Codes (i.e., journalistic, historical, statistical purpose and defensive investigations), the Garante will carry out a compatibility exercise with the GDPR and demand trade associations / stakeholders to provide a new draft for discussion and subsequent approval.
6. Are there any limitations as to the exercise of data subjects' rights in the new DPC?
Under the new DPC, data subjects' rights as per articles 15-22 of the GDPR can be limited or excluded only under very specific circumstances. This is especially true when they conflict with other requirements imposed by national laws and regulations (e.g., AML, investigations of parliamentary commissions of inquiry, defensive investigations, judicial proceedings or whistleblowing).
7. What news for electronic communication providers?
The new DPC does not introduce particular changes with regard to the processing of personal data by electronic communication providers. The same discipline concerning data breach and NIS Directive shall apply without particular derogations. However, we do not exclude that the Garante will introduce further guidance on this topic.
8. Is there going to be a "grace period" for administrative sanctions?
No, there is not going to be any "grace period". In fact, the Garante only issued an official statement saying that for the first months from the coming into effect of the new DPC it will carefully pursue the application of administrative sanctions by taking a "pragmatic and realistic approach" (i.e., the Garante will focus on the major and more extensive violations of the GDPR and the new DPC.)
9. What are the main deadlines/timelines of the new DPC that we have to take into account?
The main deadlines and timelines are the following:
- September 19, 2018 - coming into effect of the new DPC
- September 19, 2018 - the Garante's general authorizations for the processing of special categories of personal data cease are no longer effective
- 2 years - the term of effectiveness of the new guidance of the Garante concerning genetic and biometric data
- 90 days from September 2018 - the term within which the Garante shall verify the consistency of existing codes of conducts with the new DPC and the GDPR
- 31 December 2019 - last day in which it will be possible to access the register of notifications to the Garante as repealed by the new DPC
- 9/12 months - the timeframe within which the Garante shall decide on claims and proceedings. The term runs from the filing date of the specific claim and cannot be extended further
- 7 years - the duration of the term in office of the members of the Council of the Garante, who are elected by the Italian Parliament.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.