The Italian government has recently approved a decree amending some of the relevant provisions of the Data Protection Code with the aim of simplifying the privacy obligations for Italian businesses.
The main changes are as follows:
- Company data - Italy was one of the few EU countries to extend the applicability of privacy laws to personal data of companies. The decree has not clarified that company data is not deemed to be personal data for the purposes of the Italian Privacy Code if processed for standard administrative and accounting purposes. If processed for other purposes, it will still fall under the umbrella of Italian privacy laws.
- Intragroup transfers of personal data - intragroup transfers of personal data have always been a major issue for groups with, in some cases, limited privacy risks. For this reason, the decree prescribes that personal data of individuals which is processed for standard administrative and accounting purposes (eg, excluding marketing or profiling purposes) can be transferred by legal entities and associations to their holding, controlled or affiliate companies without any need for the prior consent of the relevant data subjects, on condition that the latter are provided with a privacy information notice.
- Security measures - Italian privacy law requires companies to have in place a detailed data security document which must comply with specific requirements and must be updated on a yearly basis. This obligation will no longer apply to entities processing either non-sensitive data only or sensitive data or judicial data relating only to their employees and consultants. In such case this obligation has been replaced with an obligation for the data controller to issue a self-declaration of compliance with security measures.
For further information on this topic please contact Marco Leone at DLA Piper Italy by telephone (+39 02 80 61 81), fax (+39 02 80 61 82 01) or email ([email protected]).