The Italian privacy authority published its inspection plan for the first half of 2021, which identifies several specific areas of intervention, most of which are different from those in previous inspection programs.
Through the resolution of December 10, 2020, the Italian data protection authority, the Garante, adopted the new inspection plan for January-June 2021, thus setting the new order of priority for the first part of the current year.
In particular, through the collaboration of the Italian tax police, 50 inspections in the form of dawn raids will be carried out (which is higher than the 30 of the previous second half of 2020, but still lower than the 80 of the first half of 2020). They will be mainly focused on the processing of personal data either particularly sensitive or carried out in the context of sectors considered at high risk, i.e.:
- biometric data processed for facial recognition, including through video surveillance systems;
- personal data processed in the so-called “domestic video surveillance” sector and the sector of audio/video systems applied to games such as connected video game;
personal data processed by data brokers; and
- personal data processed by companies operating in the “Food Delivery” sector.
This is a largely new list. The Italian privacy authority’s radar has shifted from the processing carried out through whistleblowing applications and by intermediaries for electronic invoicing to focus on the so-called “new scenarios of modern society.” In particular, the reference to connected video gaming platforms is in line with the level of attention brought by other Italian authorities on age verification and contents of video games (Read on the topic “Content and age verification requirements on video game platforms in Italy“).
Likewise, the focus on food delivery services originates from a recent decision from the court of Bologne on the algorithm used to rate riders.
Besides, the Garante underlined that the spread of Covid-19 and the consequent health crisis that followed “has amplified the risks connected to the greater dependence on data and technologies also in terms of concentration of market power and surveillance, making evident the need for effective guarantee mechanisms to safeguard fundamental rights and freedoms at the outcome of appropriate cognitive initiatives, also of inspection type.”
In line with the previous inspection plan, the Italian privacy authority will also investigate data breaches and the adoption of adequate security measures under data protection law, as well as, in general, compliance with the provisions relating to the proper information of data subjects, the conditions for the lawfulness of processing, the validity of the provision of consent and the duration of data retention.
Without prejudice to the above, the Italian data protection authority emphasized that further inspections and audits could be carried out based on received complaints.
On the above-mentioned topic, you can read the article “How to be prepared for privacy dawn raids under the GDPR?“.