Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Italy is a member country of the European Union where the GDPR is fully effective. Italy implemented the GDPR on 19 December 2018 by revising its Personal Data Protection Code as certain sections directly conflicted with the GDPR. In short, the old legislation has been updated to meet the requirements of the GDPR.
One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Italy has set the age of consent with regard to data protection at 14 years old.
The Italian Data Protection Authority (DPA), referred to as the Guarantor for the Protection of Personal Data (GPDP), or the Privacy Guarantor, is an independent regulatory authority headquartered in Rome.
The regulatory authority is responsible for overseeing data protection legislation within the country. The authority has investigative powers to obtain access to information, including personal data, from the data controller or a data processor and the power to carry out on-premise audits and inspections.
According to the GDPR, any entity that collects or processes the personal data of EU residents must comply with the GDPR. Whether that entity operates within or outside the EU, the GDPR will apply to them.
The GDPR governs data processing activities within and outside the EU. Data processing activities include collecting, storing, altering, disclosing, archiving, deleting, or using an individual’s personal data.
The GDPR applies to any organization worldwide that offers goods and services to customers or businesses in the EU. In short, the GDPR has an extra-territorial effect, meaning organizations that aren’t based within the EU will still be subject to the GDPR if they process the personal data of EU residents.
The GDPR allows businesses, organizations, and other stakeholders to process the personal data of EU residents as long as they comply with the legal obligations. However, sharing personal data is only authorized by the law if communicated to the DPA or in the public interest.
Consent is an essential element of the law that requires informed and valid consent of the individual to process personal data or marketing purposes. The law also focuses on children’s consent, where children 14 years and above can validly express their consent to data processing. For children below the age of 14 years, consent must be provided by a supervisory adult or the holder of parental responsibility.
However, consent of the individual isn’t required when processing their personal health data for scientific research purposes in the medical, bio-medical, or epidemiological sectors.
The GDPR requires data controllers to issue a privacy notice and provide certain information to people whose personal data they hold and use. The privacy notice should contain details of the data controller, explain the purpose of collecting, using, and disclosing data, for how long the data will be kept, and the data controller’s legal basis for processing the individual’s personal data.
The privacy notice must be written in clear and plain language, concise, transparent, intelligible, and easily accessible.
The GDPR introduces specific security measures for those handling the personal data of individuals. Security measures such as encryption, pseudonymization, and minimization must be implemented. The DPA establishes such security measures on, at least, a two-year basis.
The GDPR requires data controllers to notify the DPA no later than 72 hours after becoming aware of the data breach and the affected data subjects. The data breach notification must also include:The GDPR requires data controllers to notify the DPA no later than 72 hours after becoming aware of the data breach and the affected data subjects. The data breach notification must also include:
Data controllers are also required to record all data breaches whether or not notified to the supervisory authority and permit audits of the record by the supervisory authority.
The GDPR requires organizations to appoint a Data Protection Officer (DPO) when personal processing data is part of their duties. Under the law, the communications and dealings of DPOs with the management are subject to confidentiality obligations.
Under the GDPR, businesses processing the personal data of individuals must carry out DPIA before they begin processing their data. Such businesses are required to employ technologies that will safeguard the personal data of data subjects.
The GDPR requires data controllers to maintain a record of data processing activities. Data maintained in the public interest or for other purposes should be used only for their intended purposes.
The GDPR empowers data controllers to ensure the utmost confidentiality of an individual’s data by identifying all data processors, building an understanding of the data they store, and recognizing how well each data processor secures the data of data subjects.
The GDPR allows cross-border data transfer of personal data by a data controller or a data processor if the conditions stated by the GDPR are met. If the host country has adequate data protection mechanisms in place, the personal data of data subjects may be freely transferred to that country.
Under the GDPR, data transfer of a data subject is possible if:
Under the GDPR, data subjects enjoy a variety of rights that enable them to control the processing of their personal data.
Data subjects can request access to their personal data. Data controllers have to oblige by the request and submit a copy of the data subject’s personal data if requested.
Data subjects can request the data controller to rectify any inaccurate or incomplete information without undue delay.
Data subjects can request the data controller to delete their personal data. However, this right is only valid if the data controller no longer needs the data for the purposes for which it was initially collected or the data subject withdraws their consent.
Data subjects enjoy the right to restrict the processing of their personal data.
Data subjects have the right to data portability in a structured and machine-readable format.
Data subjects have the right to object to the processing of their personal data. Such a request is made to the data controller who will then have to suspend the data processing of the data subject. Data subjects also enjoy the right to object to the processing of their personal data for marketing purposes.
The DPA may impose administrative fines of up to €10 million, or up to 2% of worldwide turnover. The DPA may also impose heavier fines up to €20 million, or up to 4% of worldwide turnover.
Italy’s GDPR also imposes criminal penalties when there’s unlawful processing of sensitive data or the unlawful data has been transferred internationally without the data subject’s consent transfer of data ranging from a minimum of six months to a maximum of three years’ imprisonment. Other penalties range from a minimum of one year to a maximum of six years’ imprisonment.
To comply with Italy’s GDPR, organizations must:
The global dynamics of accessing, protecting, and sharing personal data are rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data while automating privacy and security operations for swift action.
With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.
Securiti binds reliability, intelligence, and simplicity working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Italy’s GDPR and other privacy and security regulations worldwide. See how it works. Request a demo today.
See how easy it is to manage privacy compliance with robotic automation.