Italy publishes GDPR-implementing decree

Earlier this month, the Legislative Decree for the national implementation of General Data Protection Regulation (the GDPR) was published in the Official Journal.

The legislator maintained the structure of former Legislative Decree 196/2003 (the Privacy Code) which, however, has been extensively amended and integrated, and now contains only some residual provisions in addition to those of the GDPR which are directly applicable.

The Decree entered into force on 19 September 2018.

A few specificities

First of all, the Decree integrates the provisions of the GDPR that were left to the autonomy of the Member States, for instance, by introducing limitation on the processing of particular categories of data, establishing the age of consent for children in relation to information society services, and describing the functions of the Data Protection Authority (the Garante) and the remedies available to Italian data subjects.

Also, the Decree governs the transition from the current to the future regime.

In this respect, the general decisions and guidelines previously issued by the Garante shall apply to the extent that they are compatible with the GDPR; the same applies, within the limits set out below, to the general authorisations already issued.

The provisions of the Privacy Code adopted to implement the e-Privacy Directive will, of course, remain in force.

Finally, the controversial provisions regarding legitimate interest, introduced with the Budget Law at the end of 2017 are in fact repealed, so that the notification obligation to the Garante shall apply only in case of change of the name of minors.

Below is a brief summary of the most relevant provisions.

Provisions integrating the GDPR

• The provisions relating to specific processing of personal data (e.g. processing for journalistic, academic and artistic purposes; processing within the framework of employment relationships; access to public documents, etc.) will be subject to sector sub-regulations, promoted by the Garante and subject to public consultation. These rules will be an essential condition for the lawfulness and correctness of the processing.
• The Garante shall issue “safeguard measures” necessary for the adequate processing of genetic, biometric and health related data. Until then, previously issued measures will continue to apply, to the extent that such measures are compatible with the GDPR.
• The processing of judicial data is allowed only when authorized by the law or by a regulation (the Decree indicates some relevant areas). Failing such conditions, the Ministry of Justice may identify further categories of lawful processing and related safeguards.
• The Decree sets forth the principle of impossibility to use data processed in breach of relevant regulation.
• The age of consent for children in relation to the offer of information society services is 14.
• It has been confirmed (consistently with the current regime) that data subject rights of a deceased person can be exercised by those who have a proper interest and by those who act to protect the data subject or for relevant family interests. However, the Decree introduces the possibility to prohibit the exercise of such rights, only with regard to the direct offer of information society services, with a written statement (which can be withdrawn at any time). Such provision does not prevent the exercise of third party economic rights arising from the deceased person data, as well as the right of defence.
• The appointment of “persons in charge of the processing” is re-introduced, even if it is no longer mandatory but merely voluntary.
• There are a number of provisions concerning the Garante, its functions and the remedies which can be exercised by data subjects.
• Specific processing activities, including those for judiciary, health, public or journalistic purpose are specifically governed by the Decree, without prejudice of the possibility for the Garante to encourage sector self-regulations.
• E-privacy directive provisions concerning electronic communications (such as retention obligations, e-marketing) have not been amended.
• The administrative fines envisaged by the GDPR are confirmed and extended also to infringements of the provisions of the Decree, with the obligation for the Garante to define, by means of its own internal regulation, the procedure for the adoption of orders and sanctions as well as the relative terms.
• The existing criminal sanctions are confirmed, and additional offences are foreseen by the Decree, such as the communication and disclosure of personal data on a large-scale; the fraudulent acquisition of personal data which are subject to processing on a large-scale.

Co-ordinating and transitory provisions regulating the transaction from the Privacy Code and the GDPR

• The Decree allows the possibility to end those proceedings which are still pending as of the date of entry into force of the Decree, with the payment of a reduced fine, equal to two-fifths of the minimum edict of the sanction provided for in the “old” Privacy Code.
• Within 60 days from the publication in the Official Journal of a specific notice of the Garante (which should take place within 15 days of the entry into force of the Decree and will also be available on the website of the Garante), whoever has filed in the past a claim or a report or a petition for a prior-checking, may submit to the Garante a specific request to handle such matter. Lacking such specific request, the relevant proceedings will be stopped.
• The Garante, no later than 90 days from the effective date of the Decree, shall identify by means of a general order to be subject to public consultation, the provisions of general authorisations already issued, relating to certain processing (such as that necessary for compliance with a legal obligation; for the performance of a task carried out in the public interest or connected with the exercise of public powers; necessary to fulfil obligations and rights in the field of employment and social security law; processing of genetic, biometric and health data; and specific types of processing) which do not conflict with the GDPR and, where necessary, will update them. The final order shall be adopted within 60 days from the outcome of the public consultation. Non-compatible provisions shall cease to be applicable as of the publication in the Official Journal of such an order, while the general authorisations adopted under the “old” Privacy Code relating to processing other than those indicated above, will be deemed ineffective on the date of entry into force of the Decree.
• The decisions previously issued by the Garante shall apply to the extent that they are compatible with the Decree, and the GDPR.
• The general notification obligation for processing performed on the basis of legitimate interest, introduced by the Budget Law of 2018, only applies in case of the authorisation of the change of name of minors.

Next steps

Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.