The Italian DPA issued its first guidelines on the GDPR
On 28 April 28 the Italian Data Protection Authority (“Garante”) issued its first guidance on the new provisions of the General Data Protection Regulation (“GDPR”), consisting of a schematic overview of the changes in the current legal framework and recommendations on how to face them.
The Garante focused on six specific aspects:
Lawfulness of processing;
Data subject’s rights;
Controller, processor and persons authorised to process personal data;
Transfer of data.
The following paragraphs summarise the Garante’s practical advice on each aspect.
1. Lawfulness of processing
a) According to the Garante, consent collected before 25 May 2018 is considered as valid only if it already respects the requirements set forth in the GDPR. In this regard, for instance, the processing of special categories of personal data (Art. 9 GDPR), together with the processing for profiling purposes (Art. 22 GDPR), always require an “explicit consent”, which may also not be “in writing” pursuant to the GDPR, but the data controller still bears the burden of proof to demonstrate its collection. Moreover, to be valid, consent must be freely given by data subjects older than 16-years and clearly distinguishable from other matters (e.g., terms of service);
b) To be lawful, the processing necessary “to protect the vital interests” of the data subject and “the legitimate interests pursued by the data controller” must be assessed by the data controller (no longer by the Garante, pursuant to the accountability principle) together with Recital 47 GDPR, the Garante’s case law on the balancing test and Article 29 Working Party’s present and future guidelines.
The information notices must always disclose the information set forth in Artt. 13 and 14 of the GDPR. So the Garante emphasises that data controllers need to verify information notices/privacy policies’ compliance with the GDPR requirements in order to reflect the mandatory requirements before 25 May 2018. Among these requirements, it is important for the controllers to address the following obligations in a timely fashion, as they may require some time and extensive internal discussions to assure compliance: the obligation to specify “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period” and, where applicable, the fact that the controller intends to transfer personal data to a third country and the relevant legal basis.
The Garante also discusses standardized, machine-readable icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing (e.g. those provided for video surveillance processing activities). Data subjects must receive the information notice in a timely manner, especially when personal data are not collected directly from them (at most within one month). The impossibility or the “disproportionate effort” to provide an information notice must be proved by the data controller (accountability principle) pursuant to the Garante’s case law.
3. Data subject’s rights
According to the Garante:
a) The data controller shall take appropriate measures to provide any information referred to in Artt. 13 and 14 and any communication under Articles 15 to 22 and 34 of the GDPR relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information to the data subject is by default in writing, (orally only if so required by the data subject). The Garante will soon consider issuing specific guidelines to determine reasonable fee in case of manifestly unfounded or excessive requests pursuant to its jurisprudence;
b) The right to access personal data does not anymore include the disclosure of the modalities/means of processing, but it always includes the data subject’s right to have a copy of personal data. In this regard, the Garante incentivises the use of automated mechanisms to allow data subjects to access data autonomously;
c) The scope of the right to erasure is wider than to the current right to deletion of personal data, as it includes the new obligation to take reasonable steps, including technical measures, to inform data controllers which are processing those “public” personal data that the data subject has requested the erasure by such controllers of any links to, or copies or replications of, those personal data;
d) The new right to restriction of personal data is also different than the previous mere blocking/suspending of the processing activities: effectively, it requires data controllers to “tag” personal data in order to allow fast and automated restriction. Interestingly enough, the Garante suggests this approach not only for digital data but also for paper-based data without providing any further explanation of how to tag paper documents;
e) Where applicable, the right to data portability must be implemented according the newly adopted guidelines of the Article 29 Working Party and the Garante’s case law on the balancing test of the right to access.
4. Controller, processor and persons authorised to process personal data
a) As the GDPR regulates the situation of joint-controllers, the Garante suggest that all data controllers review the rights and the obligations of the respective stakeholders, so that data subject may effectively exercise their rights when such (co-)processing activities occur;
b) Before 25 May 2018, all data processing agreements must be reviewed to make sure they are aligned with Art. 28 GDPR. In this regard, and other than previously provided by the current Italian legal framework, the data processor is finally allowed, by means of a general authorisation by the data controller, to sub-contract processing operations. The Garante is currently considering together with other European stakeholders to provide model clauses for these contracts;
c) Furthermore, as a general rule, data controllers and data processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality pursuant to the Garante’s decisions on the matter.
5. Accountability and risk-based approach
As such principle is completely new in the Italian legal panorama on data protection, the Garante practically suggests to implement the following:
a) Where applicable, the register of processing activities is a fundamental tool not only as evidence of compliance in case of inspections by the Garante (accountability principle), but also for the proper management of personal data. In fact, whilst the content of the register is described in Art. 30 GDPR, the Garante highlights the fact that it may be further improved by the stakeholder with other information regarding data processing (e.g. those required under the form for notification of data processing pursuant to Section 38 of the Italian Personal Data Protection Code. In this regard, the Garante is considering to provide a model of register of processing activities to be integrated directly within organisational structures;
b) Pursuant to the principle of accountability, there is no longer a minimum set of organisational and security measures to be implemented by data controllers or data processors, except for those public bodies processing sensitive data pursuant to a public interest. Each stakeholder will be accountable for the choice of the security measures described under Art. 32 GDPR, which shall be not be deemed as exhaustive. In this regard, the Garante is considering to provide best practises in the light of its present jurisprudence;
c) On data breach obligations which are applicable to all data controllers, the Garante specifies that the content of communications set forth in Artt. 33 and 34 of the GDPR are not exhaustive and therefore, pursuant to the forthcoming guidelines provided by the European Data Protection Board, the Garante will update and adapt its current notification model accordingly. In this regard, the Garante makes clear that, in addition to the determination of the cases which pose a “high risk to the rights and freedoms of natural persons” (an obligation of the data controller pursuant to the principle of accountability), the data controller “shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken” as evidence in case of an inspection by the Garante;
d) Where applicable, data controllers and data processors must appoint a Data Protection Officer pursuant to the newly adopted Article 29 Working Party guidelines.
6. Transfer of data
Firstly, the Garante acknowledges that a transfer to a third country pursuant to an adequacy decision adopted by the European Commission, or on the basis of duly signed standard contractual clauses, or binding corporate rules approved through the specific procedure provided for in Art. 47 of the GDPR, may occur without awaiting any specific authorisation from the Garante (see Article 45 (1) and Article 46 (2) GDPR).
However, to comply with the transfer mechanisms set forth in Artt. 44 to 49 of the GDPR, the Garante remarks the fact that in case data processing is based on ad hoc contractual clauses or administrative agreements between stakeholders (e.g. public authorities or bodies), a prior authorisation by the Garante will be required pursuant to Art. 46(3) GDPR.
5 Tips – Companies/Organisations need to promptly:
Verify whether the legal basis for data processing activities complies with GDPR;
Update Information according to the necessary elements of the GDPR (mind that discussions on data retention and data transfer may be lengthy and difficult ones);
Start risk assessment procedures in order to identify and apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk, comply with the principle of data protection by design/default and be ready to carry out the relevant data protection impact assessments;
Verify how they will be able to comply with the new data subjects’ rights, e.g., portability, restriction of processing, and right to erasure (‘right to be forgotten’);
Create procedure to demonstrate compliance (keep evidences) with the GDPR.