Privacy fines, data protection compliance organizational structure and how to determine when a party is a data controller or data processors are among the topics covered in the DLA Piper Italy event on the birthday of the GDPR.
The DLA Piper Italy event on the birthday of the GDPR
As anticipated, DLA Piper Italy held an event on the 29th of May 2019 in Rome to celebrate the first birthday of the GDPR. The speakers included Luigi Montuori, the Head of International Relationships of the Italian data protection authority and Michela Massimi, the Head of the Public Relations Office of the Italian data protection authority, together with Giorgio Aprile, the Data Protection Officer of Ferrovie dello Stato Italiane, Enrico Ferretti, the Managing Director of Protiviti, Emanuele Greco, Partner of Opentech, Giuseppe Mastantonio, Senior Legal Counsel & DPO of Open Fiber, Paolo Quaini, General Counsel of Alitalia and Stefania Trogu, Director Litigation & Privacy of Lottomatica.
Below are the top 5 takeaways that emerged from the debate:
1. € 56 million fines, but sanctions are not the sole incentive to comply with the GDPR
According to the data published by the European Data Protection Board, the total amount of privacy fines issued before the first birthday of the GDPR was € 55,955,871. At the same time, data protection authorities started privacy dawn raids which were already quite frequent in Italy, while they are a complete innovation for other jurisdictions.
Some companies are running privacy dawn raids simulations and training and have adopted an internal policy on how to manage them. The inability to properly handle an inspection from the data protection authority can indeed lead to lengthy disputes and high sanctions.
On the topic, you can read the article “Top 5 immediate actions to get ready for Italian privacy dawn raids“.
2. The data protection compliance organizational structure cannot rely just on a global DPO
It is quite frequent the scenario of large multinational companies that have a single global DPO that do not know much about the local privacy compliance of the group entities but often rely on privacy champions who in turn cannot have control of the whole company and are operating without explicit instructions.
This solution is difficult to defend in a potential dispute or a privacy dawn raid where the data protection authority will ask to meet in person the appointed DPO and be able to deal with him/her about the privacy-related issued of company. An alternative option is to appoint some privacy stewards in each department that will monitor the compliance and report to the privacy champions.
But the roles and responsibilities of each individual included in the data protection compliance organizational structure of the group shall be clearly defined, with also a formal letter of appointment to be accepted and handed over to the authorities, in case of request. At the same time, employees and officers need to have clear and specific instructions on how to process personal data.
Below is a structure that we adopted for some clients to tailor to the specifics of each entity.
3. Are you a data controller or a data processor?
The hottest question that is addressed to the Italian data protection authority relates to whether an entity operates as a data controller or a data processor.
The criteria followed by the authority take into account the level of independence of the supplier, and whether it can determine the modalities of the data processing. There is not a solution that fits all, and an assessment of the matter on a case by case basis is necessary.
However, there is a risk of requalification, if a supplier has full control over the operations of its business, and this operation cannot adjust to the needs of the instructing party in any manner. In this scenario, the supplier is re-qualified as an autonomous data controller, leading to significant issues such as the identification of the legal basis for the data transfer between two data controllers.
4. The legal framework is still uncertain, but companies need to justify their privacy-related decisions
The Article 29 Working Party first and the European Data Protection Board now have issued several guidelines to clarify the scope of the obligations provided by the GDPR. And the Italian data protection authority is planning the launch of a series of videos and events to better inform companies as to their data protection law obligations.
Unfortunately, each data protection authority has also issued its guidelines, contributing to creating a higher level of uncertainty.
The crucial point is being able to justify under privacy laws the decisions adopted on privacy compliance and to document them, based on the principle of accountability.
5. The ePrivacy Regulation still has an uncertain deadline
With the new European Parliament that is in the process of being set up, the timing of adoption of the ePrivacy Regulation remains uncertain. Hopefully, the work performed during the previous months will not be lost, and the Regulation will be adopted soon, but there is no specific deadline.
You can have a look at my presentation displayed during the event below, and read on what happened during this first year of GDPR in this article “Happy birthday GDPR, the Far West of privacy has just started!“.