The Italian data protection authority’s new inspection plan focuses on high-risk areas and data breaches and notes an increase in sanctions issued under the GDPR.
On October 1, 2020, the Italian data protection authority approved the inspection plan for the second half of 2020, which is in line with what was approved last February 2020 by the previous board of the Garante, focusing mainly on the processing of personal data carried out in particularly sensitive areas.
For the period July-December 2020, 30 inspections – that normally are run through dawn raids – will be carried out on its own initiative, also through the collaboration of the Italian tax authority, which will continue to focus mainly on the processing of personal data carried out:
- through the applications of reports of illegal conduct (the so-called “whistleblowing”);
- by intermediaries for electronic invoicing;
- by public entities concerning the issuance of personal and civil status certificates through the National Register of Resident Population;
- for the management and recording of telephone calls within the call center service;
- by companies operating in the food delivery sector; and
- as part of the so-called “reputational rating.”
The inspection plan also continues to include the interest of the Italian data protection authority in the analysis of data security breaches (i.e., data breaches), as well as the commitment to verify that public entities and companies that process special categories of personal data have duly adopted adequate security measures under data protection laws, as well as, in general, to ascertain compliance with the provisions concerning the correct information of the data subjects, the conditions for the provision of consent – if the processing is based on this legal basis – and the duration of data retention. On the contrary, the checks regarding the pharmaceutical and healthcare sectors are not repeated.
In any case, regardless of belonging to the categories listed in the inspection plan,
the Office may carry out further inspection and auditing activities on its own initiative or in relation to proposed reports or complaints.
Indeed, in most cases, a dawn raid from the Italian data protection authority arises from a complaint filed by an individual through the dedicated hotline established by the Garante.
Therefore, it is essential that all data controllers comply with the regulations and are able, from an accountability perspective, to demonstrate that they have complied with the provisions of the GDPR. In this regard, the financial report from the Italian data protection authority on inspections and sanctions issued in the first half of 2020 records a significant increase in total revenue deriving from paid sanctions, which rose from € 1.223 million in the first half of 2019 to € 7.108 million, with an increase of 481%. In the same period, sanctions were issued for a total amount of € 5.52 million (+124%) against € 2.248 million in the first half of 2019.
The scenario outlined above urges companies to prepare for an inspection of the Italian data protection authority, despite the current Covid-19 pandemic. You may find the article “Top 5 immediate actions to get ready for Italian privacy dawn raids” for this purpose.
Image credit Nick Kidd