The board of the Ministries approved the final text of Italian privacy law integrating the GDPR raising major concerns on the scope of the law.
On the 8th of August 2018, the Italian Board of Ministries announced to have approved the Italian privacy law integrating the GDPR. The law has now been published on the Official Gazette and you can review an article in English on the topic “Italian law integrating the GDPR in place, what changes?” and watch a video in Italian below as part of my videoblog Diritto al Digitale
The main contents of the decree are below.
1. The Italian Privacy Code is not repealed
Rather than removing the existing Italian Privacy Code, apparently the government decided to test our “Tetris” skills, just amending the existing Italian Privacy Code to align it to the GDPR and replacing whole sections by means of a cross-reference to the GDPR.
The result is a very confusing text which inevitably cannot be 100% aligned to the GDPR and might contain mistakes.
2. Additional guarantees for special categories of personal data
The Italian Data Protection Authority is requested to issue a list of additional requirements to be observed in the processing of genetic, biometric and health related data. Such list will be published every two years and shall mainly contain specific technical measures in terms of required encryption and anonymization.
The matter is quite relevant since additional investments in terms at least of security measures might be required and updated every 2 years which creates an additional element of uncertainty.
3. Processing of data on criminal sanctions remains restricted
There is a quite extensive list of examples when data on criminal sanctions can be processed. But it remains the principle that only a primary law or Workers Collective Agreements can authorize their processing.
This is a quite relevant issue for companies that require a criminal report check to all their employees. Such practice shall be ceased, unless authorized either by the law such as in the case of directors of companies in order to check their suitability for the role or by the provision of the applicable Workers Collective Agreements. I discussed the issue in more detail in this blog post.
4. Internal data processors remain!
The Italian Privacy Code prescribed the role of the “internal data processors” which are persons within each department of companies in charge of monitoring data protection law compliance. As anticipated by the guidelines of the Italian data protection authority on the GDPR, their roles is now confirmed, but they are named “designated persons” which we usually rename as privacy stewards, champions, data owners, etc.
This is an important matter especially for foreign companies that are not accustomed to such a requirement. But in my view, regardless of what provided by Italian law, such requirement could be implied by the obligation to implement adequate organizational measures which cannot mean that any data protection law compliance check is delegated to the DPO. I had covered the issue in this article and in this video available below as part of Diritto al Digitale.
5. Consent required for electronic direct marketing
It remains unchanged the provision of the Italian Privacy Code that requires consent for the delivery of marketing communications via email and other electronic means. Also, criminal sanctions are introduced for the breach of such obligation.
This is a very hot topic since the GDPR allowed to perform direct marketing on the basis of legitimate interest according to its recitals. Can Italian law go against what provided by the GDPR? I covered this issue in this article and in this video available below with reference to the CRM as part of Diritto al Digitale.
6. Existing decisions and authorizations of the Italian Data Protection Authority saved
The decisions and the authorizations issued by the Italian DPA, the Garante per il trattamento dei dati personali, under the regime prior to the GDPR as well as the existing Ethical Codes will remain in place “to ensure continuity“, up until they are updated by the Italian DPA.
This is an interesting position, but if the provision is still like in the previous draft where it was made reference to their applicability “provided that they are compatible” with the GDPR, this is going to create a major uncertainty on which decisions/authorizations are actually compatible with the GDPR and companies shall start a sort of “guesswork” with the result on taking on additional obligations in order to play safe.
7. Simplified modalities of compliance with the GDPR for medium/small companies
The Italian DPA will promote, under the new Italian privacy law, simplified modalities to comply with the GDPR for small and medium enterprises.
This is great, but unfortunately, it might come too late when companies are likely to have already done most of the work. Also, this simplification will operate in any case within the perimeter of the GDPR that cannot be derogated, save for the aspects left to the discretion of EU Member States. Therefore, such simplification cannot be too simple!
8. An 8 months transitional period for fines?
The Italian Data Protection Authority had required a waiver from the obligation to issue the fines provided by the GDPR during the period following the adoption of the decree of integration of the GDPR. Since such waiver would have been in breach of EU laws, the provision states that the Italian Data Protection Authority will “take into account” in the issue of fines of the first applicability of the decree during the 8 month period following the coming into force of the decree.
The provision is quite ambiguous. There is definitely the message from the regulator that it will be more tolerant during these first months, but since it is obliged to issue fines, such tolerance cannot go beyond certain limits.