Introduction
Italy is a member country of the European Union where the GDPR is fully effective. Italy implemented the GDPR on 19 December 2018 by revising its Personal Data Protection Code as certain sections directly conflicted with the GDPR. In short, the old legislation has been updated to meet the requirements of the GDPR.
One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Italy has set the age of consent with regard to data protection at 14 years old.
Regulatory Authority
The Italian Data Protection Authority (DPA), referred to as the Guarantor for the Protection of Personal Data (GPDP), or the Privacy Guarantor, is an independent regulatory authority headquartered in Rome.
The regulatory authority is responsible for overseeing data protection legislation within the country. The authority has investigative powers to obtain access to information, including personal data, from the data controller or a data processor and the power to carry out on-premise audits and inspections.
Who Needs to Comply with the Law
According to the GDPR, any entity that collects or processes the personal data of EU residents must comply with the GDPR. Whether that entity operates within or outside the EU, the GDPR will apply to them.
Material Scope
The GDPR governs data processing activities within and outside the EU. Data processing activities include collecting, storing, altering, disclosing, archiving, deleting, or using an individual’s personal data.
Territorial Scope
The GDPR applies to any organization worldwide that offers goods and services to customers or businesses in the EU. In short, the GDPR has an extra-territorial effect, meaning organizations that aren’t based within the EU will still be subject to the GDPR if they process the personal data of EU residents.
Obligations for Organizations Under GDPR
Lawful Basis Requirements
The GDPR allows businesses, organizations, and other stakeholders to process the personal data of EU residents as long as they comply with the legal obligations. However, sharing personal data is only authorized by the law if communicated to the DPA or in the public interest.
Consent Requirements
Consent is an essential element of the law that requires informed and valid consent of the individual to process personal data or marketing purposes. The law also focuses on children’s consent, where children 14 years and above can validly express their consent to data processing. For children below the age of 14 years, consent must be provided by a supervisory adult or the holder of parental responsibility.
However, consent of the individual isn’t required when processing their personal health data for scientific research purposes in the medical, bio-medical, or epidemiological sectors.
Privacy Notice
The GDPR requires data controllers to issue a privacy notice and provide certain information to people whose personal data they hold and use. The privacy notice should contain details of the data controller, explain the purpose of collecting, using, and disclosing data, for how long the data will be kept, and the data controller’s legal basis for processing the individual’s personal data.
The privacy notice must be written in clear and plain language, concise, transparent, intelligible, and easily accessible.
Security Requirements
The GDPR introduces specific security measures for those handling the personal data of individuals. Security measures such as encryption, pseudonymization, and minimization must be implemented. The DPA establishes such security measures on, at least, a two-year basis.
Data Breach Requirements
The GDPR requires data controllers to notify the DPA no later than 72 hours after becoming aware of the data breach and the affected data subjects. The data breach notification must also include:The GDPR requires data controllers to notify the DPA no later than 72 hours after becoming aware of the data breach and the affected data subjects. The data breach notification must also include:
- The categories and approximate numbers of individuals and records concerned,
- The name of the organization’s data protection officer or other contacts,
- The likely consequences of the breach, and
- The measures the business will take to mitigate harm.
Data controllers are also required to record all data breaches, whether or not notified to the supervisory authority, and permit audits of the record by the supervisory authority.
Data Protection Officer Requirement (DPO)
The GDPR requires organizations to appoint a Data Protection Officer (DPO) when personal processing data is part of their duties. Under the law, the communications and dealings of DPOs with the management are subject to confidentiality obligations.
Data Protection Impact Assessment (DPIA)
Under the GDPR, businesses processing the personal data of individuals must carry out DPIA before they begin processing their data. Such businesses are required to employ technologies that will safeguard the personal data of data subjects.
Record of Processing Activities (RoPA)
The GDPR requires data controllers to maintain a record of data processing activities. Data maintained in the public interest or for other purposes should be used only for their intended purposes.
Third-Party Processing Requirements
The GDPR empowers data controllers to ensure the utmost confidentiality of an individual’s data by identifying all data processors, building an understanding of the data they store, and recognizing how well each data processor secures the data of data subjects.
Cross-border data transfer Requirements
The GDPR allows cross-border data transfer of personal data by a data controller or a data processor if the conditions stated by the GDPR are met. If the host country has adequate data protection mechanisms in place, the personal data of data subjects may be freely transferred to that country.
Under the GDPR, data transfer of a data subject is possible if:
- Explicit informed consent has been obtained,
- The transfer is necessary for important reasons of public interest,
- The transfer is necessary for the establishment, exercise, or defense of legal claims, or
- The transfer is necessary to protect the data subject's vital interests where consent cannot be obtained.
Data Subject Rights
Under the GDPR, data subjects enjoy a variety of rights that enable them to control the processing of their personal data.
Right to access
Data subjects can request access to their personal data. Data controllers have to oblige by the request and submit a copy of the data subject’s personal data if requested.
Right to rectify
Data subjects can request the data controller to rectify any inaccurate or incomplete information without undue delay.
Right to erasure
Data subjects can request the data controller to delete their personal data. However, this right is only valid if the data controller no longer needs the data for the purposes for which it was initially collected or the data subject withdraws their consent.
Right to restriction of processing
Data subjects enjoy the right to restrict the processing of their personal data.
Right to data portability
Data subjects have the right to data portability in a structured and machine-readable format.
Right to object
Data subjects have the right to object to the processing of their personal data. Such a request is made to the data controller who will then have to suspend the data processing of the data subject. Data subjects also enjoy the right to object to the processing of their personal data for marketing purposes.
Penalties for Non-compliance
The DPA may impose administrative fines of up to €10 million, or up to 2% of worldwide turnover. The DPA may also impose heavier fines up to €20 million, or up to 4% of worldwide turnover.
Italy’s GDPR also imposes criminal penalties when there’s unlawful processing of sensitive data or the unlawful data has been transferred internationally without the data subject’s consent transfer of data ranging from a minimum of six months to a maximum of three years’ imprisonment. Other penalties range from a minimum of one year to a maximum of six years’ imprisonment.
How an Organization Can Operationalize the GDPR
To comply with Italy’s GDPR, organizations must:
- Understand your organization’s data processing needs and recognize categorize personal data and sensitive personal data;
- Analyze the obligations put in place by the and devise mechanisms for absolute compliance;
- Explicitly obtain the consent of data subjects for data processing activities
- Formulate transparent and easy-to-understand data processing policies and privacy notices;
- Data controllers must address the requests of data subjects and have a user-friendly request initiation form to facilitate such requests;
- Have a dedicated data breach response team for seamless compliance;
- Ensure cross-border data transfers are made in a secure manner, and the host country respects the law;
- Regularly carry out data protection impact assessments as required under the GDPR;
- Have technical expertise and adequate organizational security measures in place to protect their processing activities.
How can Securiti Help
The global dynamics of accessing, protecting, and sharing personal data are rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data while automating privacy and security operations for swift action.
With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.
Securiti binds reliability, intelligence, and simplicity working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Italy’s GDPR and other privacy and security regulations worldwide. See how it works. Request a demo today.
