Trends and climate Would you consider your national data protection laws to be ahead or behind of the international curve? Italian data protection laws are ahead of the international curve. The Data Protection Code (Legislative Decree 196/2003) implemented EU Directives 95/46/EC and 2002/58/EC in a detailed and prescriptive way. This, together with related provisions issued by the Data Protection Authority, has put Italy at the forefront of EU data protection.
Italy has one of the soundest legal frameworks in the European Union with regard to balancing data subjects’ rights and businesses’ interests. The Data Protection Authority often interprets the data protection rules in ways that simplify their application for data controllers, while maintaining an intense focus on protecting individuals by rigorously enforcing the rules (eg, notably the 2013 guidelines on simplified procedures to carry out multi-platform marketing activities and the new rules regarding employers’ rights to monitor employees). There is now a longstanding tradition in legal practice and interpretation that puts Italian data protection rules ahead of the international curve.
Are any changes to existing data protection legislation proposed or expected in the near future? A new set of rules approved at the EU level was published in the Official Journal of the European Union on May 4 2016. These rules stem from the General Data Protection Regulation, the Directive on Data Processing by Competent Authorities for Law Enforcement Purposes and the Directive on Passenger Name Records. The General Data Protection Regulation, which will enter into force on May 25 2018 for all EU member states, including Italy, will substantially amend the existing rules.
There is a new procedure allowing employers to monitor employees through electronic devices used by employees to carry out their work (Article 4 of the Workers’ Statute (Law 300/1970)).
Parliament is in the midst of discussing a new set of rules regarding whistleblowing-related personal data processing activities, which is expected to result in a new law in the coming months.
By the end of 2016, the Data Protection Authority is expected to issue a new set of rules regulating personal data processing activities specifically carried out by means of video surveillance technologies, replacing the Data Protection Authority’s 2010 general provision.
Legislation What legislation governs the collection, storage and use of personal data? The Data Protection Code (Decree 196/2003), and specific and general provisions issued by the Data Protection Authority, govern the collection, storage and use of personal data.
Scope and jurisdiction Who falls within the scope of the legislation? The following entities fall within the scope of the legislation:
- entities established in the state’s territory or in a place under the state’s sovereignty which process personal data, including data held abroad; and
- entities established in a non-EU country that use equipment in connection with processing data (whether electronic or otherwise) in the non-EU country, unless this equipment is used only for purposes of transit through the European Union.
The EU General Data Protection Regulation will broaden the territorial scope of data protection legislation in Europe in order to encompass entities established outside the European Union, where processing activities relate to:
- the offering of goods or services to data subjects in the European Union, irrespective of whether data subjects pay for the goods or services; or
- the monitoring of data subjects’ behaviour within the European Union.
What kind of data falls within the scope of the legislation? Personal data falls within the scope of the legislation. ‘Personal data’ is defined as any information relating to natural persons that is or can be identified, even indirectly, by reference to any other information, including:
- personal identification numbers;
- identification data – personal data allowing a data subject to be identified directly; and
- sensitive data – personal data allowing the disclosure of information relating to:
- racial or ethnic origin;
- religious persuasions;
- philosophical or other beliefs;
- political opinions;
- political party membership;
- trade union membership;
- membership in associations or religious organisations;
- philosophical, political or trade unionist character;
- health and sex life; and
- judicial data.
Are data owners required to register with the relevant authority before processing data? In Italy, data owners need not register with the relevant authority before processing data, but at least three different obligations are required for data controllers in certain cases provided for by law, and these must be carried out before starting relevant data processing activities.
First, data controllers must notify the data subject of the processing of personal data if it concerns:
- genetic and biometric data;
- data that has been processed to analyse or profile individuals; or
- credit-related information (pursuant to Section 37 of the Data Protection Code).
Second, personal data that entails specific risks to data subjects’ fundamental rights must undergo a prior check by the Data Protection Authority (pursuant to Section 17 of the Data Protection Code).
Third, special categories of data (eg, health data) must be processed in accordance with an authorisation from the Data Protection Authority. Authorisation is usually provided in a general fashion by the authority, but processing operations not included in the general authorisation must receive specific prior authorisation (pursuant to Section 26 of the Data Protection Code).
The General Data Protection Regulation will nevertheless abolish the notification requirement and replace it with an obligation to maintain internal records of data processing activities. Therefore, in place of notifications, controllers and processors must maintain, and make available to data subjects and supervising authorities on request, internal records that cover all of their data processing activities.
Is information regarding registered data owners publicly available? Yes – but only where the Data Protection Authority enters notifications submitted pursuant to Section 37 of the Data Protection Code into a publicly available register of processing operations, accessible via the Data Protection Authority’s website.
Is there a requirement to appoint a data protection officer? There is no legislative requirement to appoint a data protection officer. However, in its general provision on the electronic health record, the Data Protection Authority strongly recommended the appointment of a data protection officer. Under the General Data Protection Regulation, public and private sector companies where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large-scale or the large-scale processing of special categories of data and personal data relating to criminal convictions and offences must appoint a data protection officer.
Enforcement Which body is responsible for enforcing data protection legislation and what are its powers? The Data Protection Authority primarily enforces data protection legislation. It has inspection powers, corrective powers (including the capacity to issue administrative penalties) and advisory powers. When investigating organisations, the Data Protection Authority can request information and documents, although these requests are not legally binding. However, if the organisation refuses to cooperate or allow access to its systems, the Data Protection Authority can apply for a judicial order to carry out an investigation. When carrying out formal inspections, the Data Protection Authority can demand copies of manual records and databases, which may be passed onto the judicial authorities. A report of the outcome is then published.
The data protection rules may also be enforced by judicial authorities.
Collection and storage of data
Collection and management In what circumstances can personal data be collected, stored and processed? Personal data must be:
- processed lawfully and fairly;
- collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is consistent with said purposes;
- accurate and kept up to date;
- relevant, complete and not excessive in relation to the purposes for which it is collected or subsequently processed; and
- kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data is collected or subsequently processed.
Any personal data that is processed in breach of the above principles will be deemed to have infringed the law.
Moreover, in order to process personal data lawfully, controllers must rely on a valid legal ground, such as:
- the data subject’s consent;
- the necessity to comply with a legal obligation; or
- where the data processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party or otherwise in order to comply with specific requests made by the data subject before entering into a contract.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records? As a rule, personal data must be stored in a way that allows identification of the data subject for a period no longer than is necessary in relation to the scope within which the data has been collected and processed. In some cases the law itself establishes a specific retention period – for example, providers of electronic communication services (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers):
- can process traffic data that is strictly necessary in relation to contracting parties’ billing and connection payments for up to six months;
- must retain telephone traffic data for 24 months from the date of communication for the purpose of detecting and suppressing criminal offences; and
- for the same purpose, must retain electronic communication traffic data, but not the content of communications, for 12 months from the date of the communication.
The legislature recently extended the compulsory data retention period for the purpose of detecting and suppressing certain serious criminal offences (eg, terrorist activities and activities performed by stable criminal organisations) until July 1 2017.
Do individuals have a right to access personal information about them that is held by an organisation? Data subjects have the right to confirm whether personal data concerning them exists, regardless of whether it has already been recorded. Data subjects also have the right to request the communication of such data in an intelligible form.
Further, data subjects have the right to be informed of:
- the source of the personal data;
- the purposes and methods of processing;
- the logic applied to processing, if it is carried out by electronic means;
- the identity and details of the data controller, data processors and the designated representative; and
- the entities or categories of entity to which the personal data may be communicated and the parties that may be privy to the data in their capacity as:
- designated representatives in the state’s territory;
- data processors; or
- managers of the processing.
Do individuals have a right to request deletion of their data? Data subjects have the right to:
- erase, anonymise or block data that has been processed unlawfully, including data which need not be retained for the purposes for which it has been collected or subsequently processed; and
- obtain certification to the effect that the processing operation has been notified (as has the content of the data) to the entities to which the data was communicated or disseminated.
The EU General Data Protection Regulation has further elaborated on this right, by introducing the so-called ‘right to be forgotten’. According to the new rules, data subjects have the right to erase personal data concerning them from the controller without undue delay and the controller must comply with the request if, for example:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent and there is no other legal ground for the processing;
- the data subject objects to the processing (ie, profiling or direct marketing); or
- the personal data has been unlawfully processed.
Moreover, where the controller has made the personal data public and is obliged to erase it, the controller, taking into account the available technology and cost of implementation, must take reasonable steps, including technical measures, to inform the controllers that are processing the personal data that the data subject has requested the erasure of any links, copies or replications of the personal data (right to de-listing).
Consent obligations Is consent required before processing personal data? The processing of personal data by private entities or profit-seeking public bodies is usually based
- on the data subject’s express, informed, specific and freely given consent, unless one of the legal exceptions to this rule applies. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations involved in the processing.
As a rule, consent must be given in writing if the processing concerns sensitive data. Sensitive data may be processed only with the data subject’s written consent and the Data Protection Authority’s prior authorisation.
If consent is not provided, are there other circumstances in which data processing is permitted? Consent need not be provided if, for example:
- the processing is necessary to comply with an obligation imposed by law, regulations or EU legislation;
- the processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or in order to comply with specific requests made by the data subject before entering into a contract;
- the processing concerns data taken from public registers, lists, documents or records that are publicly available, without prejudice to the limitations and modalities laid down by laws, regulations or EU legislation with regard to their disclosure and publicity;
- the processing concerns data relating to economic activities that are processed in compliance with the legislation in relation to business and industrial secrecy; and
- the processing is necessary to safeguard life or bodily integrity of a third party or to ensure that that defence counsel can carry out investigations or defend a legal claim.
Further specific exceptions to the rule of consent are contained in the Data Protection Code.
What information must be provided to individuals when personal data is collected? The data subject must be preliminarily informed either orally or in writing of:
- the purposes and modalities of the processing for which the data is intended;
- the obligatory or voluntary nature of providing the requested data;
- the consequences if he or she fails to reply;
- the entities or categories of entities to which the data may be communicated or that may have access to the data in their capacity as data processors or persons in charge of processing;
- the scope of dissemination of the data; and
- information regarding the data controller and, where designated, the data controller’s representative in the state and the data processor.
Data security and breach notification
Security obligations Are there specific security obligations that must be complied with? Personal data undergoing processing must be kept and controlled (as far as possible, considering technological innovations, the nature of the data and the specific features of the processing), in such a way as to minimise the risk of:
- its accidental or wilful destruction or loss;
- unauthorised access to the data; or
- processing operations that are either unlawful or inconsistent with the purposes for which the data has been collected.
The latter measures can be specified by the Data Protection Authority via a general provision in relation to specific data processing, as done, for example, in relation to the processing of biometric data or for the processing of personal data by system administrators.
In any case, data controllers must adopt security measures in order to ensure a minimum level of personal data protection. Such measures are listed in Annex B (Technical Specifications Concerning Minimum Security Measures) to the Data Protection Code.
Breach notification Are data owners/processors required to notify individuals in the event of a breach? According to the Data Protection Code, only providers of a publicly available electronic communications service (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers) must notify data subjects of a breach.
In case of a particular risk of a breach of network security, the provider of a publicly available electronic communications service must inform the contracting parties and (if possible) users of all the possible remedies, including an indication of the likely costs involved.
When a personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the provider must also notify the contracting party or individual of the breach without delay. The notification described above is not required if the provider has demonstrated to the Data Protection Authority that it has implemented technological protection measures that render the data unintelligible to any entity that is not authorised to access it, and that the measures were applied to the data related to the breach.
The same obligation applies to data breaches related to electronic health files. The EU General Data Protection Regulation introduces a similar obligation to notify data breaches to every controller and processor, regardless of their qualification as a provider of a publicly available electronic communications service.
Are data owners/processors required to notify the regulator in the event of a breach? In case of a personal data breach, the providers of publicly available electronic communications services must notify the breach to the Data Protection Authority and the Authority for Communications Safeguards without undue delay.
The same obligation applies to data breaches related to electronic health files.
Electronic marketing and internet use
Electronic marketing Are there rules specifically governing unsolicited electronic marketing (spam)? There is a comprehensive set of rules governing direct marketing, resulting from the combined application of both the Data Protection Code and the Data Protection Authority’s Guidelines on Marketing and Against Spam of July 4 2013.
As a rule, data controllers may contact users for direct marketing purposes with the prior consent of the user. This rule applies to communications performed by means of automated calling or communications systems without human intervention or by email, fax or text message. Consent needs to be given only once to enable marketing activities using different means of communication, provided that the data subject can opt out at any time from one or more of the means of communication used by the data controller.
Further, when the personal data is drawn from publicly available papers or electronic directories, data controllers may contact users only by telephone or mail, provided that users have not exercised their right to object (opt-out mechanism).
Finally, where a data controller uses, for direct marketing of its own products or services, electronic contact details for emails supplied by a data subject in the context of the sale of a product or service, it need not request the data subject’s consent, provided that the services are similar to those that were the subject of the sale and the data subject, after being adequately informed, does not object to the use either initially or in connection with subsequent communications.
So-called ‘technical cookies’ are exempt from this requirement. Technical cookies are used only to transmit a communication over an electronic communications network or in order for a service provider to deliver a service that has been explicitly requested by the subscriber or user. Under the Data Protection Code, technical cookies may be used without the user’s consent, provided that the user is informed as required.
Data transfer and third parties
Cross-border data transfer What rules govern the transfer of data outside your jurisdiction? Personal data flows freely within the European Union and countries that ensure an adequate level of safeguards according to the European Commission.
The transfer of processed personal data to a non-EU member state is permitted if it is authorised by the Data Protection Authority on the basis that the non-EU country has adequate safeguards for data subjects’ rights, or that adequate rules of conduct are in force within the framework of companies and they belong to the same group.
Other legal grounds for the transfer of personal data are provided for in the EU Model Clauses, the Binding Corporate Rules and, if officially approved, the EU-US Privacy Shield for transfers to the United States.
Are there restrictions on the geographic transfer of data? The transfer of processed personal data to a non-EU member state is permitted if it is authorised by the Data Protection Authority on the basis that the non-EU country has adequate safeguards for data subjects’ rights, or that adequate rules of conduct are in force within the framework of companies and they belong to the same group.
Other legal grounds for the transfer of personal data are provided for in the EU Model Clauses, the Binding Corporate Rules and, if officially approved, the EU-US Privacy Shield for transfers to the United States.
Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Data subjects must be informed beforehand of the possible communication of their personal data to a third party or a category of third parties. The actual communication of data must rely on a valid legal ground. For example, in order to communicate data to a third party for its own direct marketing purposes, the data controller must seek specific consent beforehand. In other cases, the communication may be authorised, if not mandated, by law. A specific form of disclosure – which does not technically amount to a ‘communication’ in the reading of the law – is that between a data controller and a data processor, where the latter acts under the control and instructions of the former.
Penalties and compensation
Penalties What are the potential penalties for non-compliance with data protection provisions? Non-compliance with the data protection rules could lead to administrative penalties in the form of fines, injunctions and criminal charges. It is worth underling that, pursuant to Section 143 of the Data Protection Code, the Data Protection Authority will block or prohibit processing, in whole or in part, if:
- it is found to be unlawful or unfair and this is partly due to the data controller’s failure to take the necessary measures to align the processing to applicable law; or
- there is an actual risk that it may be considerably prejudicial to one or more of the data subjects with regard to:
- the nature of the data;
- the arrangements that apply to the processing; or
- the effects that may be produced by the processing.
In case of failure to comply with the security provisions or where activities are conducted with the intent to cause harm – for example, in the event of unlawful data processing or false declarations or notifications submitted to the Data Protection Authority – criminal penalties may be imposed by the court.
Compensation Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner? Yes – individuals are entitled to compensation for loss suffered as a result of a data breach or non-compliance with the data protection rules by the data owner. As a rule, whoever causes damage will be liable to pay damages. This liability stems from the exercise of dangerous activities, as provided for under Section 2050 of the Civil Code.
The EU General Data Protection Regulation also recognises data subjects’ right to seek compensation if a controller or processor infringes the regulation, causing material or non-material damage.
Cybersecurity legislation, regulation and enforcement Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity? Parliament has asked the government to implement EU Directive 2013/40/EC on attacks against information systems, which approximates member states’ criminal law regarding illegal access to information systems, illegal system interference, illegal data interference, illegal interception, incitement, aiding and abetting and attempting to commit one of the aforementioned offences.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)? In particular, Section 4a of Legislative Decree 7/2015 now prescribes that telephone and internet traffic data (except for the content of communications) that is held by telecoms service operators, along with telephone data and internet traffic data occurring thereafter, must be retained until June 30 2017 for the purposes of detection and suppression of serious criminal offences related to terrorist activities. Further, even though EU Directive 2006/24/EC on the retention of data generated or processed by publicly available electronic communications services and public communications networks was abolished by the European Court of Justice in 2014, its national implementing norms are still in force.
Which cyber activities are criminalised in your jurisdiction? The Criminal Code punishes activities such as:
- computer fraud;
- damages caused to computer or telematic systems;
- dissemination of computer programs intended to damage or disrupt an IT system;
- unauthorised access to a computer or telecoms system;
- prevention or interruption of computer or electronic communications;
- installation of equipment designed to intercept data;
- prevention or interruption of computer or electronic communications; and
- falsification, alteration or suppression of the content of computer or electronic communications.
Which authorities are responsible for enforcing cybersecurity rules? The minister for home affairs and the heads of the central offices specialised in computer and IT matters – from the state police, the Carabinieri and the financial police to criminal prosecutors and the courts – are the responsible authorities.
Cybersecurity best practice and reporting Can companies obtain insurance for cybersecurity breaches and is it common to do so? Although no legislative framework governs rules and procedures for obtaining insurance against cybercrime, some insurers have started offering policies to companies and the trend is rapidly increasing.
Are companies required to keep records of cybercrime threats, attacks and breaches? Providers must keep an updated inventory of personal data breaches, including the circumstances of the breach, its consequences and the measures adopted to remedy the breach.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities? According to the Data Protection Code, providers of publicly available electronic communications services must notify breaches of personal data to the supervisory authorities and the individuals affected under the conditions set out therein.
The General Data Protection Regulation introduces a similar obligation to notify data breaches to the Data Protection Authority for every controller and processor, regardless of their qualification as a provider of publicly available electronic communications services.
Moreover, in two general application orders (General Application Order Concerning Biometrics, November 12 2014, and General Application Order Concerning Electronic Health Files, June 4 2015) the Data Protection Authority set out an obligation for data controllers to report breaches concerning biometric data within 24 hours of becoming aware of the event and to report breaches concerning data contained in electronic health files within 48 hours of becoming aware of the event.
Finally, the forthcoming EU Network and Information Security Directive, not yet approved, will also likely introduce a specific obligation to report serious security breaches to public authorities on operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services).
Are companies required to report cybercrime threats, attacks and breaches publicly? According to the Data Protection Code, when a personal data breach is likely to be detrimental to individuals who are parties to contracts for publicly available electronic communications services, providers must notify the breach to them without undue delay, unless they can demonstrate to the Data Protection Authority that they have implemented technological protection measures that render the data unintelligible to any entity that is not authorised to access it, and that these measures were applied to the breached data.
The General Data Protection Regulation introduces a similar obligation to notify data breaches to data subjects for every controller, regardless of its qualification as a provider of publicly available electronic communications services.
Criminal sanctions and penalties What are the potential criminal sanctions for cybercrime? According to the Criminal Code, offences related to the security of networks, as well as to computer or telematic systems, are punishable by fines of up to €10,329 and imprisonment for up to eight years.
What penalties may be imposed for failure to comply with cybersecurity regulations? The Data Protection Code prescribes that failure to adopt the minimum security measures may be punished by imprisonment for up to two years. Any violation of the provisions regarding the retention of traffic data is punished by an administrative fine ranging from €10,000 to €50,000.
Failure to comply with the obligation to report data breaches to the supervisory authority may trigger an administrative penalty ranging from €25,000 to €150,000.
Failure to comply with the obligation to report data breaches to affected individuals may trigger an administrative penalty ranging from €150 to €1,000 per contracting party or individual.