iConsumer deals with the decisions of the Italian DPA on e-invoicing and on the list of data processing activities for which a DPIA is required.
It is time of hard work for the Italian data protection authority (the Garante) which recently released the
- Regulation 467 of 11 October 2018 that includes the list of data processing activities which, according to art. 35 of the GDPR, require a data protection impact assessment (“DPIA”); and
- Regulation 481 of 15 November 2018 that contains several requirements which the Italian Revenue Agency must comply with on the Italian e-invoicing system that will be in place from 1 January 2019.
Let’s analyze the hot points resulting from them:
The Garante’s position on the Italian e-invoicing system
In the Regulation 481, the Garante advised the Revenue Agency on the Italian e-invoicing system reaching the conclusion that it
“shows significant problems arising from compliance with the data protection legislation“.
Indeed, according to the Italian data protection authority, the Italian e-invoicing system – extended from 1 January 2019 also to relationships between suppliers and between suppliers and consumers – presents high risks for the rights and freedoms of data subjects, involving a systematic, generalized and detailed processing of personal data on a large scale, potentially related to every aspect of the daily life of the entire population, disproportionate with regard to the purpose of public interest pursued.
In particular, the issues raised by the Italian privacy authority include the following:
- The Italian e-invoicing system applies to be B2C transactions and requires to archive also information that is not relevant for tax-related purposes e.g. the information on the type of service received. Such data processing activity would be unjustified;
- The Revenue Agency has to comply with its obligation to provide a privacy information notice to the individuals whose personal data will be processed by them as part of the Italian e-invoicing system;
- The possibility for each individual to have all the e-invoices available on the portal of the Revenue Agency creates a risk of loss and unlawful processing of such documents, due to the massive amount of processed data; and
- There is a lack of technical and organizational measures for intermediaries that will have to transfer e-invoices to the portal of the Revenue Agency and therefore will have access to a large amount of personal data;
Accordingly, the Garante asked the Agency to urgently advise how to make personal data processing that will be carried out for e-invoicing compliant with the Italian and European privacy laws.
It is the first time that the Garante exercises the new corrective warning power, assigned by the GDPR, by way a decision adopted following several complaints. It will be interesting to see how the Revenue Agency will react a few months before the deadline of the 1st of January 2019 when the Italian e-invoicing system will become compulsory.
The Italian DPIA list and concerns on its scope
In July 2018, the Garante transmitted to the European Data Protection Board (“EDPB”) a draft list on the data processing activities that must be subject to a DPIA. Afterwards, the EDPB collected its findings and observations on such draft in an opinion that has prescribed several corrections that the Garante should follow before releasing the final version of the DPIA list.
Accordingly, in the Regulation 467, the Garante specified that the following processing operations must be based on a DPIA:
- Large-scale assessments or scoring data processing, as well as activities including profiling on various aspects of personal life of the data subject including “individuals’ performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements“;
- Automated processing activities aimed at making decisions producing “legal effects” or affecting “in a similar way significantly” data subjects (e.g. screening activities of the banking sector);
- Processing activities based on the systematic use of data for the observation and monitoring of data subjects, including the collection of data through networks, also carried out on-line or through apps, as well as the processing of unique identifiers able to identify users of information society services (e.g. web services, interactive TVs). Also processing based on metadata are included for this purpose;
- Large-scale processing of “highly personal data” (e.g. data related to family or private life, such as data relating to electronic communications), or processing affecting the exercise of a fundamental right (such as location data) or the violation of which involves a serious impact on the daily life of the person concerned (such as data financial statements that could be used to commit payment fraud);
- Processing activities carried out in employment contexts entailing remote monitoring of the employees (e.g. CCTV systems);
- Continuous processing activities on vulnerable subjects (e.g. minors, elderly etc.);
- Processing of personal data carried out by way of interconnection, combination or comparison of information, including processing involving the processing of data of sale of digital goods with payment data (e.g. mobile payment);
- Processing on special categories of personal data (art. 9 of the GDPR) or of data concerning criminal convictions and offences interconnected with other data for different purposes;
- Systematic processing of biometric data, depending on the volume of data, the duration of processing etc.; and
- Systematic processing of genetic data, taking into account the volume of data, the duration of processing etc.
Also, the Garante specified that this list is not exhaustive and other processing activities entailing risks for data subjects should be subject to a DPIA.
The major concern around this list is that it is quite broad and might include a large amount of data processing activities. It should be considered though that this is in any case an interpretation of the provisions of the GDPR and therefore it is possible that a DPIA is not required in some of the scenarios above since they do not entail high risks for the processing of personal data.
On the topic above you may find interesting the following article “When and how shall a privacy impact assessment be run?“.