Data Protection and Privacy in Italy

Privacy in the legal context describes the individuals’ right to confidentiality of personal information and private life. To ensure the compliance of individuals and businesses and to prevent respective information to be spread or processed without the individuals’ consent, various laws on data protection and privacy are in place worldwide, in the European Union (“EU”) as well as in Italy.
For a better understanding, the relevant organisational and ever-evolving regulatory framework (I.) with its general principles and applicability (II.) are laid out as well as the lawfulness of processing of data (III.) and several special provisions (IV.). Finally, corresponding rights of data subjects (V.) and the conclusion (VI.) of the legislation are described.
In detail:

I. Organisational and regulatory framework
The right to privacy and the protection of personal data has been recognised in most national legislation for years as a fundamental right and freedom of natural persons (cf. Art. 8 of the Charta of Fundamental Rights of the EU as well as Art. 2 of the Italian Constitution). In the past decades it has become a worldwide focus leading to increasing legislation especially with regard to provide the necessary instruments regulating the processing of data by businesses.
The most important recent framework for data protection and privacy aiming at harmonising data protection law in the EU, that is also considered to have set the global standard, is the Regulation (EU) No. 2016/679 – General Data Protection Regulation (“GDPR”) – in force since the 28th of May 2018. In addition to companies, whose business model includes the collection and processing of (personal) data in the Union, all larger companies, especially those in the digital economy, are affected by the new legal basis for data protection.
However, the harmonisation and standardisation of data protection law has only been achieved to a limited extent. In addition to leaving room for national regulations, the GDPR contains a series of opening clauses that allow or require member states to adopt different and/or supplementary regulations.
Accordingly, the existing Italian regulatory framework, the Italian data protection law (“Codice in materia di protezione dei dati personali”, Legislative Decree from the 30th of June 2003, No. 196, hereinafter “IDPA”), has been amended due to the changes introduced by the GDPR especially with regard to conflicting provisions. The legislative decrees updating the amendments made by the GDPR, especially Legislative Decree from the 10th of August 2018, No.101, did not repeal the IDPA, that now includes residual provisions in addition to those of the directly applicable GDPR.
The compliance of the regulation is monitored by the supervisory Data Protection Authority (“DPA”), in Italy the “Garante per la Protezione dei Dati Personali” (“Garante”) pursuant to Article 51 GDPR. The Garante is an independent administrative authority established by the so-called privacy law on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Law No. 675 of the 31st of December 1996), implemented by the Directive 95/46/EC of the European Parliament and of the Council which was replaced by the GDPR, and regulated subsequently by the aforementioned IDPA. It established that the Italian DPA is the supervisory authority responsible for monitoring application of the GDPR.

II. General principles and applicability

In general, data protection laws are based on principles such as (cf. Art. 5 GDPR):
• Lawfulness, fairness, transparency, integrity and confidentiality when it comes to processing (cf. lawfulness of processing under III.),
• Purpose limitation to a compatible use of data with regard to the collection of data,
• Data minimisation and accuracy of the data,
• Storage limitation especially with regard to periods and purposes,
• Informed consent and participation of persons involved,
• Security to safeguard against the risk of loss, damage or unauthorised access and
• Accountability of the controller for the compliance with the aforementioned principles.
The applicability of data protection law under the GDPR is to be assumed if the data processed by any controller is in any way connected to a natural person or if such a connection can be established. The most common terms are broadly defined as follows (cf. Art. 4 GDPR):
“Personal data“ is any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (cf. Art. 4 No. 1 GDPR). “Sensitive“ or “special personal information“ refers to information that pertains to ethnic origins, political, religious or philosophical beliefs, health status, sex life or sexual orientation, explicitly genetic or biometric data, and data regarding minors. E.g., Article 2-septies IDPA (“Misure di garanzia per il trattamento dei dati genetici, biometrici e relativi alla salute”) sets out how the Garante should adopt safeguards for the processing of genetic, biometric and health data, which must be granted at least every two years.
“Processing“ of data includes all operations or activities in relation to data, whether or not by automatic means, including the collection, recording, organisation, structuring, storage, modification, transfer and destruction thereof (Art. 4 No. 2 GDPR).
“Data Controller“ may be any natural or legal person, public authority, agency or other body which, alone or jointly with others who, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR). “Processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4 No. 8 GDPR).
“Electronic communication services“ are defined in Article 121 IDPA (“Servizi interessati e definizioni”).
In terms of territorial scope, the Regulation applies to all data controllers and processors in the EU processing personal data. For controllers and data processors outside the EU, the market location principle applies.
The IDPA extends its personal scope regarding the enforcement of data subjects’ rights (Articles 15-22 GDPR) to the deceased persons; in particular, Article 2-terdecies (“Diritti riguardanti le persone decedute”) allows other persons, so-called “Representatives”, who have an interest to exercise the rights of data subjects unless prohibited by law or in the case of the direct supply of information society services, if the deceased has expressed such a wish by means of a written declaration.

III. Lawfulness of processing of data
To process any information, businesses are required to fulfil the aforementioned principles upon which data protection laws are based. For that, they are obliged to organise the implementation of a Privacy impact assessment to identify and minimise the risks to the rights and freedoms of natural persons through processing; certain types of organizations are also required to appoint a Data protection officer (“DPO”) responsible for and monitoring compliance with data legislation as well as internal policies and notifies/communicates with the corresponding Garante (through: https://servizi.gpdp.it/comunicazione-rpd/). This applies also to the processing by judicial authorities (Art. 2-sexiesdecies IDPA, “Responsabile della protezione dei dati per i trattamenti effettuati dalle autorita’ giudiziarie nell’esercizio delle loro funzioni”).
In principle, the GDPR provides the regulatory principle of prohibition with (legal) permission for the processing of personal data. Thereafter, a business may exceptionally process personal data particularly on the following legal basis (cf. Art. 6 GDPR):
• Consent given of the person concerned, which is defined (cf. Art. 4 (11) GDPR) as an indication of the person’s agreement to the processing of personal data (as well as location data and use of cookies) relating to him or her that is

• Freely given with regard to the person’s genuine freedom of choice; the person is able to refuse or withdraw consent without suffering any disadvantage;
• Specific as to how the data will be used and the purpose of the processing operations; a “blanket consent” would be ineffective, a too abstract description invalid;
• Informed: the data subject must be provided with information regarding the extent of the consent given, the business and what types of data will be processed and
• Unambiguous referring to a clear affirmative act in an intelligible and easily accessible form in simple language; there is no strict requirement for written form but mere silence or inaction do not constitute consent.
Supplementary, according to Article 2-quinquies (1) IDPA (“Consenso del minore in relazione ai servizi della società dell’informazione”), a child under the age of 14 may consent to the processing of data through information society services.
In case of scientific and medical research special categories of data may be used without consent, cf. Article 110 IDPA.
• Necessarity for the performance of a task carried out in the substantial public interest (cf. Art. 9(2)(g) GDPR or in the exercise of the business’s official authority; this substantial public interest is further described in Article 2-sexies(2)(a-z) IDPA (“Trattamento di categorie particolari di dati personali necessario per motivi di interesse pubblico rilevante”), including e.g. access to administrative documents and citizenship rights.

• Legal obligation (legislation); e.g. the processing of data relating to criminal convictions and offences are set out in Article 2 IDPA and may only be processed if permitted by law.

• Contractual obligation of the business and the data subject, if and to the extent that it is necessary for the establishment, performance or termination of a contract.

• Balancing of legitimate interests: if the person’s/data subject’s interests or fundamental rights and freedoms override the controller’s/business’s/third parties interests, then processing cannot be carried out based on the business’s legitimate interest; particularly high requirements are to be placed on the legitimate interests if children are affected (cf. Art. 6 (f) at the end).

IV. Special provisions
For the processing of personal data the following rules must also be taken into account.
Regarding geographical cross-border transfers of personal data in third countries (meaning outside the European Economic Area) the existing legislation provides limitations that prescribe a similarly adequate standard for privacy protection to be in place in the country to which the data is transferred as under current legislation. Otherwise, transfers are possible on the basis of consent or under a contractually concluded agreement, so-called “Standard Contract Clause”. To determine the adequacy of the level of data protection of a third country or an international organisation, the European Commission has the power to make a so-called adequacy decision with effect for the entire Union.
In addition, the requirements for the retention of data must be observed: Data must be stored for the shortest time possible to keep processing to a minimum. Article 99 IDPA allows personal data to be processed also after the normal period or termination in case of scientific purposes or archiving in the public interest, while Article 106 IDPA demands corresponding guidance of the Garante. For scientific and statistical research, further special provisions are to be found in Article 110-bis IDPA. With regard to Article 111 IDPA the Garante promotes the adoption of ethical rules in the context of employment.
For direct marketing via email/messaging the persons must have the possibility to opt in to receive direct marketing or to be an already existing customer of the relevant business and its products. Persons should have the right to object to this form of marketing and to opt out any time.
In case of a data breach, meaning the accessing of data by a not authorised party (via hacking a cybersecurity system, negligence or a system glitch), the business is legally responsible in respect of any data for which the business is responsible. If the personal information of individuals in the EU is affected by a data breach, the GDPR requires the party responsible for the data to notify the supervisory authority in the EU without undue delay, and at the latest within 72 hours after becoming aware of the security breach (cf. Art. 33 GDPR).
The use of cookies depends firstly on the kind of cookie: technical or profiling. For the latter, the data subjects must give their prior consent in Italy, i.e. through a privacy notice on the website. Thus, technical cookies have less requirements; but the data subject must be informed about, i.e. via the general privacy policy of the website. Special rights regarding the information in case of transmission of CVs or direct applications are to be found in Article 111-bis IDPA: after which the requirements of Article 13 GDPR should be fulfilled at the time of the first contact. Consent to the processing of data of the CV is not required under the conditions of Article 6(1)(b) GDPR.
Penalties for unlawful conduct are to be found in:
• Articles 167, 167-bis, 167-ter and 168 IDPA whereafter violations may be sanctioned with a prison sentence for: Unlawful processing, transfers, dissemination, fraudulent collection of personal data, false statements or interference with regard to the Garante;
• Article 170 IDPA for sanctions relating the disregard of measures by the Garante under Articles 58 (2) (f) GDPR, 2-septies (1) IDPA or Article 21(1) of the legislative decree implementing Article 13 of law no. 163 of 25 October 2017;
• Article 171 IDPA for sanctions in the field of employment (Articles 4 and 8 of the Italian Workers’ Statute);
• Article 172 IDPA after which being convicted of any of the above criminal offences shall entail publication of the relevant judgment.

V. Rights of the parties involved
The involved parties have several rights with regard to their data, especially transparency, information and access according to Article 12 et seq. GDPR.
Thereafter, data subjects have the right to be informed about the origin of the data, the purposes of the processing and the categories of the data processed, recipients, the planned storage period and whether the data is used for automated decision-making or profiling. Additionally, they shall be informed of the rights of rectification and objection, to request their rectification, updating and erasure (“right to be forgotten”), if incomplete, erroneous or collected in violation of the law, as well as to restrict and to oppose their processing for legitimate reasons with respect to the initial request and to lodge a complaint with the Garante.
In any case of transfer to third countries or international organisations, they are entitled to be informed about the appropriate safeguards, cf. Art. 46 GDPR.
The IDPA restricts the rights of data subjects in the following cases:

• According to Article 2-undecies (“Limitazioni ai diritti dell’interessato”) for money laundering, assistance to victims of extortion claims, activities of parliamentary investigative commissions, activities of a public body, conducting defence investigations or exercising a right in court, whistleblowing, exercise of the rights of data subjects of deceased persons;

• According to Article 138 with regard to the personal data on journalistic sources.
The controller on the other side has the right to refuse to comply with a request for cancellation in specified circumstances. Such are, e.g., exercising the right of freedom of expression and information; on the grounds of a performance in the public interest or for certain purposes (archiving, statistical, scientific or historical); compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.

VI. Conclusion
While the data protection and privacy legislation – at least in the EU – is mostly characterised by the provisions of the GDPR, nuances and differences can be found with regard to different enforcement and market surveillance infrastructure as well as cultural norms.
In general, the legislation has an impact especially with regard to:
• Restrictions on business operations, limiting the ability of the business to freely operate;
• Decrease in user-friendliness or user-experience;
• Costs for implementation but also for litigation or penalties/fines in case of non (wrongful) implementation/ compliance/ infringement/ breaches from supervisory authorities as well as
• Risks of refusal of refusing to do business in countries where an adequacy decision of the European Commission has not been adopted.