Italian implementation of the GDPR is creating some confusion on privacy obligations, but the GDPR is already in place and fines might be already applicable.
As anticipated, we ran on the 13th of September 2018 an interesting event on the new Italian data protection law of implementation of the GDPR. Despite of the very short one week notice, we had a room “packed” with DPOs and legal counsels eager to know what was going to change with the long awaited new Italian privacy law of implementation of the GDPR. Below is the presentation that we showed during the event and my top 5 takeaways that emerged during the discussion.
1. Is the GDPR the future or “Back to the Future”?
2. Is the new privacy framework complete, but still incomplete?
3. Shall direct marketing give up legitimate interest?
4. Which old obligations are still in place with the Italian implemenation of the GDPR?
- appoint a system administrator,
- adopt measures on CCTV systems,
- meet requirements provided by the decision on cookies, but is such consent in line with the GDPR?
- follow the guidelines of the Italian DPA on direct marketing?
- adopt the measures required by prior opinions of the DPA, but shall data controllers at the same time run a DPIA?
- implement retention periods provided by decisions of the Italian DPA.
Also, the most burdensome obligation appears to be the need to set up an internal organization model with the so called “internal” data processors and the appointment of each individual accessing to personal data as person in charge of the data processing, as showed in the chart below
5. Sanctions are getting scary, but do we have a transtional period?
Criminal sanctions have been added to fines already provided by the GDPR. And it is relevant that such fines are applicable also for breach of direct marketing rules which is the most sensitive topic for most of our clients.
Interestingly, the Italian decree of implementation of the GDPR provides for an 8 month period up to 19 May 2019 in which the Italian data protection authority will take into account the first applicability of the GDPR in determining fines.
There were considerable discussions among DPOs on the topic during the event and the general feeling is that the provision is very uncertain and the Italian data protection authority declared that it deems the GDPR sanctions already applicable.
You can read on the same topic “Italian law integrating the GDPR in place, what changes?“.