The Italian Data Protection Authority (DPA) after a long consultation has finally published its decision on the measures to be taken in case of data breaches by telecom and Internet operators implementing the Directive 2009/136/CE.
Telephone and internet service providers shall notify the DPA of any breach of personal data stored in electronic databases or manual archives within 24 hours from the discovery of the event providing details on the breach such as types of data involved, processing systems affected, place where the breach took place. However, in the most relevant cases, it will be necessary to inform also the individuals affected by the data breach within 3 days providing details on the type of damages that can arise from the data breach (e.g. identity theft, reputational damages or personal damages), the circumstance of whether or not the stolen data were current, the types of data involved (e.g. financial, judicial or health-related data) and the volume of data involved.
Notifications might not necessary if adequate security measures making stolen data unintelligible are put in place but the DPA can in any case impose such obligation in the most relevant cases. Also, in order to allow to the DPA to exercise its audit rights, operators shall have a registry of the occurred breaches, their consequences and the actions taken in relation to them.
The notification obligation will not apply to content providers, search engines, Internet cafes and intranet providers, but for those entities subject to the above mentioned obligations fines up to € 150,000 will be applicable in addition to fines for the lack of notifications to individuals involved and for the lack of compliance with the obligation to set up the above mentioned registry.
The obligation is already into force and operators shall soon comply with its terms. For this purpose, if you want to discuss the above, feel free to contact me, Giulio Coraggio.