When and why?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council) comes into force on May 25, 2018. It is the latest EU law passed to safeguard the privacy of citizens, imposing strict standards on business activities involving the collection of data of clients, contractors, users and employees. The new Regulation has immediate and identical application in all 28 Member States of the EU. The GDPR supersedes EC Directive 46/95 currently in force, implemented in Italy through the Legislative Decree 196/03 (Data Protection Law) and expands existing obligations. The Italian Data Protection Authority (DPA) issued its guidelines for businesses as they transition from the Italian Code to the General Data Privacy Regulation (see below). The main goal of the new regulation is to guarantee to citizens of the European Union (or persons who reside in the EU) that his/her personal data will be managed in a more transparent way, even if the “data processor”, the company who is collecting the information, is based outside the EU.
Data processing occurs whenever any operation or set of operations (such as collection, storage, recording, organisation, retrieval, consultation, deletion and publication) is performed on personal data whether by automated means or not.
Under the new regulation, data processing requires the free, specific and informed consent of the person involved. As previously, special consent is required for specific types of data (“sensitive data”), such as political opinions, sexual orientation or medical conditions. The GDPR specifies the valid age of consent for minors at 16 years, which means that under that age the company that collects the information is obliged the authorization for the data collection from the minor’s parents or guardians.
Information regarding the way personal data will be managed, processed and collected must be delivered prior to consent for data collection. The data owner must also be informed about whether providing information is obligatory; the contact information of the Data Protection Officer (DPO) and acquire subjects’ consent for disclosing data (what data is disclosed and to whom the data is disclosed); how long the data is kept; and if the treatment involves automated decision-making processing and why.
The GDPR alters the rights of interested parties. The right of access and deletion (referred to as the “right to be forgotten”) to your own data is expanded so the person has the right to receive a full copy of any personal data processed, rather than knowledge of the mode of processing. The right to cancel data means that data controllers must set up a procedure to ensure that third parties, which process the data on behalf of the data controller, also erase the information following the exercise of the “right to be forgotten”. The GDPR also introduces the right to data portability, which requires consent or a contract with the subject to allow portability.
As for defining the owner or processor in charge of processing data, the GDPR governs co-ownership. The GDPR allows for the appointment of sub-controllers and distinguishes between the obligations of controllers and processors. Additionally, the GDPR specifies that all processors and owners of data treatment must keep a written and electronic register of processing operations.
The GDPR empowers owners to decide the guarantees and limits of processing and to assess security measures on an individual basis. The supervisory authority will intervene ex-post, empowering owners to be responsible for data security. Lastly, the notification duties of the processors expand to notify the control authority for the protection of data of any breaches, not only providers of electronic communications services.
Can data controllers store cookies or equivalent devices on the data subject’s terminal equipment?
The GDPR does not change the flow of data, though transfers can begin without the guarantor’s authorization. The GDPR allows for code of conduct or certification schemes to demonstrate adequate security guarantees and requires that data flows to a third country are only performed where international agreements are similar between states.
Failure to provide an information notice or providing an inadequate information notice to the data subject, or failure to adopt minimum security measures or unlawful data processing may result in extremely severe fines ranging from 10,000 to 300,000 euro and more, depending on the type of violation and the size of the company.
If your company or business requires you to collect your clients’ information, you cannot wait any longer. That short disclaimer (generally mentioning “the information where managed according to Data Protection Law) that you have used at the end of your emails or websites may no longer be enough to comply with the new regulation. With the help of a privacy expert, now is the time to review your Data Protection Policy.
Review guidelines from the Italian Data Protection Authority
1. Assess the current state of your security practices and identify gaps and design security controls (create a “data map”). Ensure that you collect more detailed and explicit consent, including whether the information will be used for automated decision making, such as profiling.
2. Review the information provided to your clients. Obtaining consent prior to May 25, 2018 is only valid if it has all the features included in the GDPR, otherwise new consent is necessary.
3. The privacy information notice must be concise, transparent, easily accessible and easy to understand, and should expressly mention the storage period of personal data. Remember that after that time the data must be destroyed or made anonymous.
4. Find and prioritize security vulnerabilities. Review stakeholder positions to ensure compliance with the GDPR’s co-ownership structure.
5. Assess data subject rights to consent, access, correct, delete and transfer personal data and verify that legal basis for processing applies under GDPR.
6. Notification to the Italian Data Protection Authority: Data controllers must notify the IDPA before starting data processing activities if: a) The data processing concerns certain types of data, such as genetic and biometric data or other data disclosing the geographic location of individuals or objects; b) Personal data is processed for certain purposes, such as profiling purposes or to assess creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful or fraudulent conduct.
7. Keep continuously updated records of what data is kept, where the information is stored, why it is kept, how it is processed and used, and how the data flows.
Personal data: any information relating to an identified/identifiable natural person (i.e. name, location data, etc.)
Data controller: person (or company) that determines the purposes and means of processing personal data (also referred to as the owner)
Data processor: person (or company) that processes personal data on behalf of the controller
Data protection officer (DPO): person in charge of the data processing. This is the natural person in charge of the data processing on behalf of either the data controller or the data processor. The instrument appointing such a person and the instructions provided must be made in writing. This person (or company) must have specific knowledge and particular skills in IT, legal, risk assessment and process analysis. His/her tasks include: Observation, evaluation and management of processing personal data to ensure compliance with GDPR requirements; Educating the company and employees on requirements; Training staff involved in data processing; Conducting audits to ensure compliance; Monitoring performance and assessing the impact of data protection efforts; Maintaining comprehensive records of all data processing activities. They also serve as a contact between the company and GDPR Supervisory Authorities and an informant for data subjects about their right.
Michele Capecchi, a registered lawyer and member of the Florence Bar Association, holds a master of laws in American law and international legal practice from the Loyola Law School in Los Angeles. He writes on general legal issues for TF and will consider relevant inquiries sent to firstname.lastname@example.org and info@CapecchiLegal.com for upcoming articles. Author of the book “Legal Advice for Expats in Italy“, published by The Florentine Press.