1. Basic National Legal Regime

1.1 Laws

As regards personal data protection and cybersecurity, Italy's main laws are:

  • Regulation (EU) 2016/679 ('General Data Protection Regulation' or 'GDPR');
  • Legislative Decree 196/2003 ('Privacy Code'), which constitutes the transposition of Directive 95/46/EC and Directive 2002/58/EC, and repealed Law 675/1996;
  • Legislative Decree 65/2018, transposing Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the European Union ('NIS Directive'); and
  • Legislative Decree 53/2018, transposing Directive (EU) 2016/681 on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The Privacy Code has been amended and complemented by:

  • Legislative Decree 51/2018, transposing Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (repealing Council Framework Decision 2008/977/JHA); and
  • Legislative Decree 101/2018, adapting the Italian legislation to the GDPR and providing for transitional provisions (or 'GDPR Adaptation Decree').

Further to such amendments, the GDPR became the first source of data protection provisions in Italian legislation; the Privacy Code only provides additional provisions, basically where the GDPR entitled EU Member States to do so.

All of the above are complemented by guidelines, recommendations, orders, general authorisations and codes of conduct issued and approved by the Italian Personal Data Protection Authority ('Garante per la protezione dei dati personali' or 'Garante') and by the European Data Protection Board ('EDPB'), ie, a body of the Union – set up by the GDPR – having legal personality that brings together the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives, as well as a representative of the Commission (without voting rights).

The EDPB substituted the Article 29 Working Party ('Art29WP') from the date the GDPR entered into force (25 May 2018), endorsing the guidance already provided by Art29WP and developing additional guidance.

Principles applying to data protection shall also be found in the Constitution of the Italian Republic, which lists all fundamental principles governing Italy, and in other national laws, which may address specific categories of personal data, adding requirements for lawful processing, eg, Law 633/1941 ('Copyright Law') and Law 300/1970 ('Workers' Statute').

General principles applying to data protection can also be found in:

  • the European Convention on Human Rights adopted by the European Court of Human Rights;
  • the Charter of Fundamental Rights of the EU; and
  • the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the socalled Convention 108) of the Council of Europe, which is the sole binding instrument on data protection at an international level.

1.2 Regulators

The Garante is the main authority in charge of verifying whether data processing operations are carried out in compliance with the laws and regulations in force. Such tasks shall be discharged, inter alia, by:

  • asking controllers, processors, data subjects or third parties to provide information and produce documents;
  • carrying out investigations and accessing premises where processing operations take place;
  • notifying the controller or processor of an alleged infringement;
  • ordering controllers or processors to adopt such measures as are necessary or appropriate;
  • prohibiting unlawful or unfair data processing operations, in whole or in part, or blocking such processing operations;
  • issuing opinions whenever required;
  • imposing fines; and
  • reporting information on facts and/or circumstances amounting to offences to be prosecuted.

The Garante shall act either ex officio, or upon receipt of reports and complaints lodged by other data subjects or the associations representing them.

1.3 Administration and Enforcement Process

Data subjects may apply to the Garante to report an infringement of the relevant provisions on the processing of personal data, to call for a check on the mentioned provisions, or to lodge a complaint.

Any claim shall be filed, alternatively and not cumulatively, to the civil courts (save for the fact that infringement of data protection provisions might also result in criminal offences). The two remedies differ in that proceedings in front of the Garante do not require any formality, but the Garante is not entitled to provide monetary compensation for damages; and judicial proceedings have no fixed term, whereas the term provided to the Garante is nine months from the date on which the complaint was lodged, to be extended up to 12 months if the enquiries are especially complex (and to be suspended if the co-operation procedure under Article 60 of the GDPR is started).

The decision may be challenged by filing a petition to the judicial authority. Challenging shall not automatically suspend enforcement of the decision.

1.4 Multilateral and Subnational Issues

To grant the same level of personal data protection throughout the EU, national laws have been harmonised through Directive 95/46/EC and Directive 2002/58/EC, and then standardised through the GDPR.

Being a member of the EU, Italy shall abide by European regulations and directives and shall disapply any national laws inconsistent with EU rules and principles; this is why the Privacy Code transposed Directive 95/46/EC and Directive 2002/58/EC, and was amended by the GDPR Adaptation Decree.

The latter also determines the transition period and expressly states that its provisions and further Italian laws shall be applied and interpreted according to EU relevant laws. Likewise, guidelines, recommendations and orders issued and approved by the Garante shall be deemed to remain in force insofar as they are consistent with the GDPR. Existing codes of conduct and general authorisations for processing of 'sensitive' data are expressly subject to a review process.

The Garante issues guidelines, orders and measures to clarify and supplement the legislation, as well as to simplify data protection fulfilments (in particular for small and mediumsized enterprises). These are published in Italy's Official Journal ('Gazzetta Ufficiale'), and therefore have a regulatory nature. Controllers and processors are obliged to comply with these and their application might be enforced either ex officio or on the request of data subjects.

1.5 Major NGOs and Self-Regulatory Organisations

Of the non-governmental organisations (NGOs), Federprivacy (Italian Privacy Federation), Istituto Italiano Privacy (Italian Privacy Institute), Asso DPO (Data Protection Officer Association) and Associazione Nazionale per la Protezione dei Dati (National Association for Data Protection) deserve mention. These associations provide membership to privacy professionals, offer training on privacy issues and strengthen contacts with the Garante.

Many NGOs were established soon after the entry into force of the GDPR – a sign of the increased awareness of the importance of data protection, thanks to the new European regulation.

Collective organisations representing specific categories of controllers or processors for general purposes may draft codes of conduct, or amend or extend existing ones, for the purpose of specifying the application of privacy legislation. Codes of conduct shall be approved by the Garante, prior to their registration and publication. In relation to processing activities in several EU Member States, the prior opinion of the EDPB shall be sought and, if it confirms compliance of the code with the GDPR, the Commission shall give validity to the code within the EU by way of implementing Acts

To date, the Garante has confirmed the consistency and, therefore, the effectiveness of some codes of conduct already approved under the Privacy Code – for example, those on data processing for journalism, for scientific research or statistical purposes, for defensive investigations and for the establishment, exercise or defence of legal claims, and for archiving purposes in the public interest or historical research purposes.

1.6 System Characteristics

Following the EU model, Italy is highly regulated, and European systems are indeed more developed than non-EU countries.

Compared to other supervisory authorities, the Garante is one of the most active in verifying and ensuring compliance to data protection rules and principles.

1.7 Key Developments

The major development in the past year has been the adaptation of the Italian legal system to the GDPR. The GDPR Adaptation Decree was eagerly awaited and came as a surprise, as early rumours announced the repeal of the Privacy Code, whereas it only amended the Privacy Code and added some transitional provisions.

In parallel, the Garante has issued various guidelines and templates concerning:

  • data protection officers (DPOs), both in the private and in the public sector, a draft appointment agreement for DPOs and an online procedure for the communication of their contact data;
  • records of processing activities, and a template addressed to small- and medium-sized enterprises;
  • processing requiring a data protection impact assessment (DPIA), in addition to those provided by the GDPR;
  • data breaches, providing a dedicated email address for due notification;
  • a template to help data subjects in exercising their rights under the GDPR; and
  • various information sheets summarising the main duties of controllers.

These guidelines are in addition to those issued by Art29WP and the EDPB, concerning:

  • DPO;
  • DPIAs;
  • consent;
  • transparency;
  • automated decision-making and profiling;
  • data breaches;
  • records of processing activities;
  • right to data portability;
  • criteria to identify the lead supervisory authority;
  • criteria for application and setting of administrative fines;
  • certification and identifying certification criteria;
  • derogations to the transfer of personal data to third countries;
  • territorial scope of the GDPR; and
  • accreditation of certification bodies.

Art29WP also started the review process for the approval of binding corporate rules (BCRs).

Accredia has been designated as the Italian certification body in charge of issuing certifications pursuant to Article 43 of the GDPR.

1.8 Significant Pending Changes, Hot Topics and Issues

Brexit is probably the hottest topic on the horizon for the next 12 months. The consequences for data protection are not yet clear but will undoubtedly be of paramount importance as the UK will become a third country

To read full article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.