Jenny.Avvocati Studio legale associato
The following law(s) specifically govern personal data / information:
The processing of personal data in Italy is regulated by:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR); and
- Legislative Decree 30/06/2003 n. 196 as amended by Legislative Decree n. 101 of 10.08.2018 (so called “Data Protection Code”).
The key data protection principles in this jurisdiction are:
The principles applying in Italy are the ones set forth by the GDPR, which are:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Personal data must be accurate and, where necessary, kept up to date.
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
The supervisory authority / regulator in charge of data protection is:
Garante per la protezione dei dati personali based in Rome, piazza Venezia n.11 (so called “Garante”)
Is there a requirement to register with a supervisory authority / regulator?
A registration with the Data Protection Authority / regulator is not necessary.
Is there a requirement to notify the supervisory authority / regulator?
In Italy a notification to the Garante or the regulator before any processing activities or for transfer in other countries is not required.
A consultation pursuant to art. 36 GDPR is needed where according to the data protection impact assessment the processing would result in a high risk.
It should be noted that according to art. 110-bis of the Data Protection Code, a specific filing with and authorisation by the Garante is required for further processing of personal data for scientific research purposes or statistical purposes by third parties that carry out such activities on a large scale.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
- Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
- Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
- Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
- Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reason as listed in Article 17 GDPR apply.
- Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
- Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
- Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
- Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
- Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
- Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significantly effects for the data subject (Article 22 GDPR).
As allowed by article 23(1) of the GDPR, the Data Protection Code sets some limits to the exercise of such rights with regard to processing for reasons of justice, when the exercise would actually impair, among others:
- the interests protected by AML regulations
- investigations or contentious claims
- the confidentiality about the identity of an employee in a whistleblowing situation.
Moreover, the Data Protection Code provides (art. 2-terdecies) that the rights under the GDPR with regard to the data of the deceased may be exercised by those who have an interest of their own, or act to protect the person concerned, in their capacity as representative, or for family reasons deserving protection.
Is there a requirement to appoint a data protection officer (or equivalent)?
A data protection officer needs to be appointed if the conditions set forth in art. 37 GDPR are met. However, the Garante strongly recommends the appointment of a DPO for all companies.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
A data impact assessment is required according to Art. 35 GDPR. Pursuant to Art. 25, par. 4 GDPR with decision n. 467 dated 11 October 2018, the Garante published a (non exhaustive) list of 12 processing activities for which a data impact assessment is necessary. These include:
- any profiling activities based on aspects relating to professional performance, economic situation, health, personal preferences or interests, reliability or behaviour, location or travel of the data subjects
- automated processing intended to take decisions producing “legal effects” or affecting the data subject in a similar “significant way”;
- any activity in the working environment using I.T. systems, likely to trigger a remote monitoring (e.g. videosurveillance, geolocation)
- processing of personal data carried out by means of interlinking, combining or comparing information, including processing operations involving the cross-referencing of consumption data of digital goods with payment data (e.g. mobile payment).
It is available at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9059358
Does this jurisdiction have any specific data breach notification requirements?
Pursuant to art. 33 GDPR a data breach needs to be notified to the Garante within 72 hours from its discovery if it may result in a risks to the rights and freedoms of the natural persons. The Garante published a tool for self-assessment on the necessity to notify a data breach and a form that can be used for the notification.
A notification to the data subject is required according to art. 34 GDPR as far as the data breach may result in a high risk for the rights and freedoms of the natural persons.
The following restrictions apply to the international transfer of personal data / information:
Pursuant to art. 44 GDPR, transfers towards third countries, i.e. countries outside the EEA, are permitted only under the conditions set forth by the GDPR.
Such conditions are in particular:
- an adequacy decision by the European Commission (art. 45 GDPR);
- appropriate safeguards pursuant to art. 46 GDPR, e.g. Binding Corporate Rules, Standard Data Protection Clauses adopted by the European Commission or a national data protection authority and approved by the European Commission;
- consent by the data subject (art. 49, par. 1 (a);
- performance of a contract (art. 49 b).
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
According to art. 3 GDPR its provisions apply to all data protection activities related to data subjects located in the EU, so that the GDPR has an extra-territorial effect. Accordingly, the provisions of the Data Protection Code, integrating the ones set forth by the GDPR, shall apply for the processing of data individuals located in Italy.
The following rules specifically deal with marketing:
Specific rules apply to marketing activities where personal data are processed by way of electronic communication (Title X of the Data Protection Code) as the provisions implementing the Directive 2002/58/CE (so called “E-Privacy Directive”) have not been repealed by the GDPR. For example, pursuant to art. 130, par. 1 of the Data Protection Code, the use of automatic calling systems without human intervention for the purpose of direct marketing requires consent, whereas according to par. 3-bis of the same article, marketing communications by way of phone calls or ordinary e-mails are permitted, as far as the user has not exercised its right to object or has registered the telephone number in a specific opt-out register.
Specific rules apply to marketing through cold calls.
Moreover, specific rules are set forth by the decisions of the Garante, e.g. with regard to data retention periods.
Do different rules apply to business-to-business and business-to-consumer marketing?
The provisions contained in the GDPR do not apply to B2B-marketing. However, the rules contained in Title X of the Data Protection Code make reference to rights of the “user” defined as “natural person using a publicly available electronic communications service for private or business purposes, without necessarily being a contracting party to such service” and are applicable both in B2B and B2C marketing activities.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
According to art. 130, par. 2 of the Data Protection Code, the principle that marketing communications require the (prior) consent of the user are applicable also with regard to e-mail, text etc.. However, the same art. 130 provides for some exceptions, e.g. for communications advertising similar products /services as the ones already purchased by the user and for which the e-mail address was provided.
The following rules specifically deal with cookies:
Art. 122 of the Data Privacy Code contains the rules that apply to information stored in the terminal equipment, mirroring the ones provided for by the E-Privacy Directive and stating that “technical” cookies may be used without consent. Moreover, on 8 May 2014 the Garante issued a specific decision regarding cookies, setting forth simplified modalities for providing information and obtaining consent.
The consequences of non compliance with data protections laws (including marketing laws) are:
Violations of the provisions contained in the GDPR are sanctioned as set forth in Art. 83 GDPR (up to 4% of the total worldwide annual turnover). The imposition of such administrative fines is issued by the Garante.
Specific violations may also lead to criminal sanctions, as the Data Protection Code contains provisions regulating the case of criminal offences (art. 167 Data Protection Code), such as the unlawful data processing or the fraudulent acquisition of data that are processed on a large scale (art. 167-b Data Protection Code). If the criteria set forth in such provisions are met, the offence may be punished by imprisonment for a period of 6 months up to 6 years, based upon the seriousness of the offence itself.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
As far as a company has employees working in Italy (e.g. for a branch) the requirements given by local labour law need to be fulfilled; i.e. specific authorisation for video-surveillance, prohibition of constant monitoring through devices such as smartphones or connected vehicles.
Moreover, according to the Garante’s decision dated 27.11.2018 on measures and arrangements applying to the controllers of processing operations performed by means of electronic tools, through system administrators, it is necessary to:
- appoint the system administrators on an individual basis, previously appraising their experience, skills and reliability;
- report the information required to identify the system administrators, including a list of the functions entrusted to them, in an internal document to be updated regularly and made available in case of inspection by the Garante;
- inform employees about the identity of the system administrators involved in services or systems that process employees’ data;
- put in place system logging accesses (electronic authentication) performed by system administrators to processing systems and electronic databases (login and logout operations, as well as failures to access the above systems).
Multinational organisations should be aware of the following upcoming data protection developments: