Portolano Cavallo
What law(s) specifically govern personal data / information?
Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)
The principal data protection legislation in Italy (and the EU) is the GDPR, which replaced Directive 95/46/EC (“Data Protection Directive”). The GDPR intends to increase the harmonisation of data protection law across the EU Member States.
Legislative Decree No. 196 of June 30, 2003, as subsequently amended (“Data Protection Code”).
The main provisions of law amending the Data Protection Code are: (i) the Legislative Decree No. 101 of August 10, 2018 which amended the Data Protection Code in order to adapt the national legislation to the GDPR; (ii) the Law Decree No. 139 of October 8, 2021 converted into Law No. 205 of December 3, 2021, regulating, inter alia, processing activities carried out by public administrations in the public interest and the ways in which to lodge a complaint before the Garante (as defined below) in connection with “revenge porn”; and (iii) the Law Decree No. 132 of September 30, 2021 converted into Law No. 178 of November 23, 2021, about the acquisition of telephone and computer records in criminal proceedings
Law No. 5 of January 11, 2018 on telemarketing (“Telemarketing Law”)
It establishes an opt-out register and national prefixes for calls made for statistical, promotional, and market research purposes. It is implemented by the Presidential Decree No. 26 of January 27, 2022.
Legislative Decree No. 109 of May 30, 2008, implementing Directive 2006/24/EC
It regulates the retention of data generated or processed to provide publicly available electronic communications services or public communications networks.
Legislative Decree No. 51 of May 18, 2018, implementing Directive (EU) 2016/680 (Law Enforcement Directive)
It governs public authorities' processing of criminal conviction and offence data.
The Garante (as defined below) issued guidelines and resolutions on personal data protection matters in specific fields, which apply to the extent they are compatible with the GDPR. For instance, to-date five general authorizations, applicable under the former legislation for the processing of sensitive and judicial data, are still effective, as being compatible with the GDPR and the Data Protection Code.
What are the key data protection principles in this jurisdiction?:
Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date.
Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
The Italian Data Protection Authority is the Garante per la protezione dei dati personali (“Garante”).
Is there a requirement to register with a supervisory authority / regulator?
There is no requirement to register with the Garante.
Is there a requirement to notify the supervisory authority / regulator?
Generally speaking, there is no requirement to notify the Garante when carrying out personal data processing activities.
Nevertheless, the GDPR requires prior consultation with the Garante in certain circumstances (Article 36, GDPR). Furthermore, according to Article 110 of the Data Protection Code, prior consultation with the Garante is required if the controller intends to process health data without the data subject's consent for scientific research in the medical, biomedical, and epidemiological fields, provided that specific requirements are met.
Moreover, according to Article 110-bis of the Data Protection Code, under specific conditions, the controller shall seek the Garante’s prior authorization for further processing of personal data and special categories of personal data by third parties for scientific research or statistical purposes.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A.
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Pursuant to Article 35 GDPR the controller is obliged – prior to the processing – to carry out a data protection impact assessment ("DPIA"), where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
With Decision No. 467 of October 11, 2018 the Garante issued a non-exhaustive list of processing activities for which a data protection impact assessment is necessary.
These include:
- large-scale assessment, scoring, profiling or predictive activities relating to professional performance, economic situation, health, preferences or personal interests, reliability or behaviour, location of the data subject;
- automated-decision-making process with legal effects or similar significant effect;
- processing involving the systematic use of data for the observation, monitoring or control of data subjects;
- large-scale processing of data having a highly personal nature;
- processing from which derives the possibility of carrying out remote control of employees’ activity;
- non-occasional processing of data related to vulnerable data subjects;
- processing carried out through innovative technologies;
- processing involving large-scale exchange of data between different data controllers by telematic means;
- processing of personal data carried out by matching or combining data sets;
- processing of special categories of data or data relating to criminal convictions interconnected with other personal data collected for different purposes;
- systematic processing of biometric data;
- systematic processing of genetic data.
Does this jurisdiction have any specific data breach notification requirements?
The Data Protection Code does not impose any additional notification requirements beyond those under Articles 33 and 34 of the GDPR.
The Garante has issued guidelines for reporting data breaches and as of July 1, 2021, notification of a personal data breach must be sent to the Garante through a specific digital procedure, made available on the Garante’s website (see Resolution of May 27, 2021 on the notification of personal data breach). Moreover, the Garante published a tool for self-assessment on the necessity to notify a data breach.
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications ( Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification ).
What restrictions apply to the international transfer of personal data / information?
International Data transfers (i.e. jurisdictions outside the European Economic Area (“EEA”)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR:
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; and Uruguay. The United Kingdom has been recognised by the EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.
For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers:
- The transfer may be based on Standard Contractual Clauses (“SCCs”) drafted by the EU Commission. The SCCs which took effect from 27 June 2021, are available for the following transfers:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
- The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
- The transfer may be based on Binding Corporate Rules (“BCRs”), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
- The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
- In addition to the above, the European Data Protection Board published Frequently Asked Questions following the EU Court of Justice's July 16, 2020 ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (Schrems II). The Garante made available on its website the Italian translation of these FAQs.
Furthermore, the Garante has declared unlawful the processing of personal data using Google Analytics, as it implies the transfer of personal data to the U. S. without adequate safeguards.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
GDPR’s principles on the scope apply.
With regard to its geographic scope, the GDPR combines the principles of establishment, market place and territoriality.
Pursuant to the principle of establishment, the GDPR is applicable for processing activities carried out in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.
Pursuant to the principle of the marketplace, the GDPR is applicable for the processing of personal data of data subjects situated in the EU by a controller or processor who is not situated in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects situated in the EU, irrespective of whether a payment of the data subject is required; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU (principle of the territoriality).
What rules specifically deal with marketing?
In the Italian framework, marketing communications are regulated by:
- Title X of the Data Protection Code, as amended, which implements the ePrivacy Directive (Directive 2002/58/EC);
- Guidelines on Marketing and against Spam issued by the Garante with Decision No. 330 of July 4, 2013 (“Guidelines on marketing and against spam”); and
- Telemarketing Law.
As a general principle, marketing activities can only be carried out with the data subject’s prior consent, subject to specific and strict exceptions.
In accordance with Article 130, paragraphs 1 and 2, of the Data Protection Code, data processing for promotional purposes may be performed by way of automated or similar tools (eg, emails, faxes, SMS, or MMS) only if the data controller obtains the recipients’ prior, free, informed and specific consent (opt-in requirement).
As for automated phone calls, Article 1 of Telemarketing Law provides that users who have previously given consent to receiving these can revoke such consent by registering in the opt-out register, so-called Registro delle Opposizioni.
According to Article 130, paragraph 3-bis, of Data Protection Code, marketing calls made through an operator (and thus not through automated or similar tools) are permitted without the recipients’ prior consent provided that the numbers have not been registered by the recipients in the opt-out register (opt-out requirement).
Presidential Decree No. 26 of January 27, 2022, extends the scope of the Registro delle Opposizioni to embrace also the calls made through automated means. In this case, the enrollment in the Registro delle Opposizioni amounts to withdrawal of consent previously given.
The Garante has also adopted a new telematic procedure to report the receipt of unsolicited calls which fully replaces the use of the hard copy form.
In relation to email and mail marketing, the data subject’s consent is not required in case of soft opt-in, under Article 130, paragraph 4, of Data Protection Code, if the following conditions are met:
- the data controller uses the email provided by the data subject in the course of a previous sale of a product or service;
- the product or service advertised is similar to one previously sold (a purchase is necessary, a mere negotiation is not sufficient); and
- the data subject has been duly informed as to the purposes and mechanisms of the processing and is given a simple opportunity to refuse or opt out of receiving marketing communications.
Do different rules apply to business-to-business and business-to-consumer marketing?
No. Business contact details are still personal data under the GDPR, thus the relevant data protection provisions apply. There are no specific exceptions for B2B marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
See answer above to question “What rules specifically deal with marketing?”.
What rules specifically deal with cookies?
The use of cookies is regulated by Article 122 of the Data Protection Code.In addition, the Garante issued its Guidelines on the use of cookies and other tracking tools with Decision No. 231 of June 10, 2021 ("Cookie Guidelines”).
Generally speaking, there are two macro-categories of cookies: the technical and the profiling ones.
- Technical cookies are those used exclusively with a view to “carrying out the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide the said service”. The use of technical cookies does not require consent of the data subjects.
- Profiling cookies “are used to trace specific actions or recurring behavioural patterns in the use of the offered functionalities back to specific, identified or identifiable individuals for the purpose of grouping the different profiles within homogeneous, multi-sized clusters; this is aimed in turn to enable the controller to, inter alia, provide increasingly customised services beyond what is strictly necessary for the delivery of the given service and also send targeted advertising messages, i.e. messages that are in line with the preferences expressed by the user in the context of their web-browsing activities”. Profiling cookies require data subjects’ consent.
According to the Cookie Guidelines, the user’s consent may be gathered through a proper banner which shall include specific information and meet determined requirements.
Additionally, the Cookie Guidelines provide for a third category of cookies, i.e. analytics cookies. According to the Garante, analytics cookies are equivalent to technical cookies and therefore they will not need the user’s consent only if the following requirements are met:
- Additionally, the Cookie Guidelines provide for a third category of cookies, i.e. analytics cookies. According to the Garante, analytics cookies are equivalent to technical cookies and therefore they will not need the user’s consent only if the following requirements are met:
- if provided by third parties, suitable tools are adopted to reduce the identification power of cookies (e.g., by masking significant portions of IP address) and the third parties undertake not to combine the data obtained from these cookies with other information already available to them.
If these conditions are not met, these cookies are considered as profiling cookies and, as such, the data subject shall give their consent and a proper banner shall be added.
Lastly, on June 9, 2022, the Garante issued a decision banning the use of Google Analytics without implementation of adequate additional safeguards for the data transfer to the U.S. (Decision No. 224, doc. web No. 9782890). Moreover, the Garante explicitly stated that Google Analytics is not prevented from combining the data collected via Google Analytics cookies with other personal data, therefore, it can reasonably be expected that Google Analytics cannot be considered analytics cookies, unless additional specific measures are implemented.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The GDPR provides for a maximum penalty in the amount of the higher of EUR 20 million or 4% of worldwide turnover (Article 83 GDPR).
- Article 167: Unlawful data processing for purposes of gaining a profit or damaging to data subjects;
- Article 167bis: Unlawful communication and dissemination of personal data that are processed on a large scale;
- Article 167ter: Fraudulent acquisition of personal data that are processed on a large scale;
- Article 168: Untrue declarations to the Garante and intentional interruption or disturbance of the regular proceeding before the Garante or the investigations carried out by the Garante;
- Article 170: Failure to comply with provisions issued by the Garante;
- Article 171: Violations of the provisions concerning remote surveillance and surveys of employees’ opinion.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the EEA are generally required under Article 27 GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.
Multinational organisations not located in Italy should especially be aware of:
- the potential criminal consequences of violations of the Data Protection Code;
- sector based guidelines issued by the Garante, such as the Cookie Guidelines; and
- the requirements in case the company has employees working in Italy (e.g. for a branch). For instance, specific authorisation for video-surveillance is required and constant monitoring through devices such as smartphones or connected vehicles is prohibited.
What upcoming data protection developments should multinational organisations be aware of?
Multinational organisations should be aware of the legislative development on the transfer of data to non-EU countries, notably to the U.S., since it will represent a major reform that will most likely impact the technology industry and e-commerce. It will also impact the use of Google Analytics (see our answer above to the question “What rules specifically deal with cookies?”).
Furthermore, once issued, the e-Privacy Regulation (replacing the e-Privacy Directive) will have a significant impact on online processing of personal data.