Companies with an Italian business can now rely on guidelines on how to comply with the European privacy regulation (GDPR), which unveiled some interesting positions.
After the French and the Dutch data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the “Italian DPA“) issued its 6 step methodology on the GDPR which aims at giving guidelines also increasing awareness on the most relevant changes introduced:
1. More detailed consent and broader legitimate interest
As already provided by the current regime, any processing of personal data needs to have a legal basis justifying it. In particular, among others, on
An explicit (but no longer written) consent is required on the processing of sensitive data (e.g. health-related data that are now incorporated in the broader “special” category of data) and the processing based on automated decision making, including profiling. This scenario shall happen in line with the relevant guidelines of the Article 29 Working Party, which I had reviewed in this blog post.
The need for explicit consent to automated decisions impacting health-related data is burdensome since the manual processing of requests might not be economically feasible for companies in some cases. Therefore, other solutions need to be identified to avoid the risk that customers do not give their consent to the automated processing of their applications.
Also, a relevant point raised by the Italian data protection authority is that if the consent obtained under the old regime prior to the GDPR also meets the requirements of the GDPR, no new consent is required. On the contrary, if this is not the case, a new consent had to be obtained before the 25th of May 2018.
The legitimate interest shall no longer be identified through a decision of the data protection authority as on the contrary, it was provided by the old regime. But a balancing test shall be performed by the data controller to rely on this legal ground of processing of personal data, which is an alternative to consent.
The Italian DPA confirms that the criteria identified in its previous decisions relating to for instance the usage of CCTV systems, as well as fraud prevention solutions, still apply (Read on the topic CCTV cameras under strict data protection law obligations).
On the contrary, the Italian DPA does not provide clarifications as to be the possibility to rely on legitimate interest for direct marketing purposes which is one of the hottest topics at the moment and I had covered in this blog post Legitimate interest, performance of contract and privacy consent under the GDPR.
2.A longer privacy information notice, but multi-layer
A much more extensive amount of compulsory information shall be listed in the privacy information notice. The most relevant change, in my view, is the need to mention the storage period of personal data expressly. This requirement will force companies to adopt a strict internal policy and technical measures to delete or anonymize data on the expiry of the storage period and the identification of the applicable retention period might be quite complicated, but shall follow criteria discussed in this blog post Data retention period, an intrigued rebus under the GDPR.
Also, the privacy information notice shall be concise, transparent, easily accessible and easy to understand. It can rely on standardized icons that shall be consistent across the European Union and will be defined soon by the European Commission. In this respect, the Italian DPA emphasized that the European Privacy Regulation pushes for the implementation of multi-layer privacy information notices to ease their understanding by the public. This solution would be essential given the large amount of information to be included in the notice under the GDPR.
A privacy information notice compliant with the GDPR had to be in place before the 25th of May 2018 and therefore, some operators that have a relationship once a year with their customers might need to move quite fast!
3. Reinforced rights with the novelty of the data portability right
The GDPR sets strict deadlines to comply with the requests of exercise of individuals’ rights, and therefore ad hoc internal organizational and technical procedures shall be put in place to address such requests. Also, the Italian DPA might issue some guidelines on the potential “reasonable fee” to be paid by individuals in extraordinary circumstances for the exercise of their rights, but in general terms, the exercise of such rights shall be free of charge.
The rights of access and erasure (the so-called “right to be forgotten“) are reinforced, and it is emphasized the need to put in place a procedure to ensure that also third parties processing data on behalf of the data controller erase them following the exercise of the above mentioned right.
In particular, the right of restriction allows to limit the further processing of personal data, pending a decision on it and obliges to adopt a procedure to “mark” such data up to the expiry of this transitional period.
While on the data portability right, the Italian DPA refers to the opinion on the Article 29 Working Party that I reviewed in this blog post.
4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains
Data processing agreements with data processors shall be amended since the GDPR provides for a large number of obligations to be imposed on data processors (i.e. whoever processes personal data on behalf of the data controller), including the obligation to have in place a record of data processing activities, to implement adequate technical and organisational measures and, if it falls under specific categories, to appoint a data protection officer. The European Commission is considering the adoption of standard clauses for data processing agreements, but – as mentioned in this blog post – the main change relates to controls to be implemented to monitor data processors and check their level of compliance with data protection laws.
A positive change is that data processors can appoint sub-processors, but data processors remain liable towards the data controller for the activities of their sub-processors, unless “it proves that it is not in any way responsible for the event giving rise to the damage“.
Interestingly, the Italian DPA provides that any individual accessing to personal data shall still be appointed as “persons in charge of the data processing“ (incaricati del trattamento), which was a peculiarity of the Italian Privacy Code. Indeed, to prove the implementation of adequate technical and organizational measures, strict instructions shall be given to whoever has access to personal data. I share such approach and I also believe that internal data processors (also named privacy stewards/champions) and in general individuals in charge of monitoring privacy compliance in addition to the DPO shall be adopted to prove the setting up of adequate organizational measures.
5. Need to adopt an accountability program
The accountability principle is one of the significant changes introduced by the General Data Protection Regulation. This obligation requires that companies processing personal data can prove to have adopted the measures necessary to comply with the GDPR through a so-called “accountability program“.
The accountability program finds two of its main elements in the implementation of a privacy by design and privacy by default approach and in the performance of a privacy impact assessment that can be followed by a consultation with the competent data protection authority.
Such elements require that an assessment on the legality of the data processing activities is no longer performed by the data protection authority, but needs to be carried out by each entity processing personal data. The above is the reason why the obligation to notify certain types of data processing activities to the Italian DPA and the obligation/possibility to run a prior check with it in some circumstances will no longer exist.
Other elements of the accountability program are
- The establishment of a record of processing activities which the Italian DPA recommends to any company, regardless of their size and for which it might issue a template;
- The implementation of “appropriate technical and organizational measures to ensure a level of security appropriate to the risk“, which can no longer be limited to the minimum security measures provided so far by the Italian privacy code. But, the Italian DPA is considering to issue guidelines on the security measures to be put in place;
- The adoption of a procedure for the notification to the Italian DPA and the communication to the relevant individuals of data breaches, “unless the controller is able to demonstrate [—] that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons“. For this purpose, data controllers shall also “shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken“, regardless of whether it has been notified to the Italian DPA and make it available upon request; and
- The appointment of a data protection officer on which the Article 29 Working Party issued an opinion reviewed in this blog post.
6. No significant change for transfers of data outside the EEA
Principles and tools as those currently provided remain for the transfer of personal data outside of the European Economic Area. It is possible to rely on codes of conducts, but those shall be expressly approved by the competent data protection authority.
Also, courts of non-EEA countries can’t order the transfer of personal data outside the EEA. This order shall occur either through international treaties or if the relevant EU Member State recognizes the public interest to the data transfer.
The above is a very interesting outline of the main contents of the GDPR and of the applicable obligations according to the guidelines of the Italian data protection authority.