Italian privacy law integrating the GDPR is finally in place, but a number of provisions remain unclear and need immediate action.
After having spent the well-deserved summer break, Italians are back to work and the legislative decree integrating the GDPR has been finally published on the Official Gazette and will be binding with effect from the 19th of September 2018.
As part of my videoblog, Diritto al Digitale, you can watch below a video in Italian summarizing the contents of the article
1. The Italian Privacy Code changes after the GDPR
Rather than removing the existing Italian Privacy Code, apparently the government decided to test our “Tetris” skills, just amending the existing Italian Privacy Code to align it to the GDPR and replacing whole sections by means of a cross-reference to the GDPR.
The result is a very confusing text which inevitably cannot be 100% aligned to the GDPR and might contain mistakes.
2. The regime for special categories of personal data still needs to be completed
The Italian Data Protection Authority is requested to issue a list of additional requirements to be observed in the processing of genetic, biometric and health-related data. Such a list will be published every two years and shall mainly contain specific technical measures in terms of required encryption and anonymization.
The matter is quite relevant since additional investments in terms at least of security measures might be required and updated every 2 years which creates an additional element of uncertainty.
3. The strong limitations on the processing of data on criminal sanctions remain
There is a quite extensive list of examples when data on criminal sanctions can be processed. But it remains the principle that only a primary law or Workers Collective Agreements can authorize their processing.
This is a quite relevant issue for companies that require a criminal report check to all their employees. Such practice shall be ceased, unless authorized either by the law such as in the case of directors of companies in order to check their suitability for the role or by the provision of the applicable Workers Collective Agreements. I discussed the issue in more detail in this blog post How data on criminal convictions of employees become a privacy risk.
4. A more complex internal compliance organization is required
The Italian Privacy Code prescribed the role of the “internal data processors” which are persons within each department of companies in charge of monitoring data protection law compliance. Their role is now confirmed, but they are named “designated persons” which we usually rename as privacy stewards, champions, data owners, etc.
This is an important matter especially for foreign companies that are not accustomed to such requirement. But in my view, regardless of what provided by Italian law integrating the GDPR, such requirement could be implied by the obligation to implement adequate organizational measures which cannot mean that any data protection law compliance check is delegated to the DPO (Read on the topic “The DPO according to the Italian privacy authority“).
5. Is direct marketing subject to consent?
It remains unchanged the provision of the Italian Privacy Code that requires consent for the delivery of marketing communications via email and other electronic means. Also, criminal sanctions are introduced for the breach of such obligation.
This is a very hot topic since the GDPR allowed to perform direct marketing on the basis of legitimate interest according to its recitals. Can Italian law go against what provided by the GDPR? I covered this issue in this article Top 5 practices on direct marketing under the GDPR and in this video available below with reference to the CRM as part of Diritto al Digitale.
6. New Italian law integrating the GDPR, but existing decisions and authorizations saved
The decisions and the authorizations issued by the Italian DPA, the Garante per il trattamento dei dati personali, under the regime prior to the GDPR as well as the existing Ethical Codes will remain in place “to ensure continuity“, up until they are updated by the Italian DPA.
This is an interesting position, but if the provision is still like in the previous draft where it was made reference to their applicability “provided that they are compatible” with the GDPR, this is going to create a major uncertainty on which decisions/authorizations are actually compatible with the GDPR and companies shall start a sort of “guesswork” with the result on taking on additional obligations in order to play safe.
7. Is a lighter regime for medium/small companies possible?
The Italian DPA will promote, under the new Italian privacy law, simplified modalities to comply with the GDPR for small and medium enterprises.
This is great, but unfortunately, it might come too late when companies are likely to have already done most of the work. Also, this simplification of Italian privacy law will operate in any case within the perimeter of the GDPR that cannot be derogated, save for the aspects left to the discretion of EU Member States. Therefore, such simplification cannot be too simple!
8. Do we really have an 8 months transitional period?
The Italian Data Protection Authority had required a waiver from the obligation to issue the fines provided by the GDPR during the period following the adoption of the decree of integration of the GDPR. Since such waiver would have been in breach of EU laws, the provision states that the Italian Data Protection Authority will “take into account” in the issue of fines of the first applicability of the decree during the 8 month period following the coming into force of the decree.
The provision is quite ambiguous. There is definitely the message from the regulator that it will be more tolerant during these first months, but since it is obliged to issue fines, such tolerance cannot go beyond certain limits.
You may find interesting on the same topic “Running late for the GDPR? What to do now to limit risks of challenges?“.