Background information/Scenario

In its last newsletter the Italian Data Protection Authority (“Garante”) announced that it will carry out inspections on specific sectors during the first semester of 2017. According to the newsletter, the inspections will be performed in cooperation with the Special Unit of the Financial Police and will focus on the processing of personal data in the context of:

  • SPID (the Italian public service of digital identity);
  • companies in the business of telemarketing (especially those located in Albania);
  • the national statistical system.

Main issues

The inspection activity will be carried out by the Garante by means of preliminary inquiries and random controls and is of remarkable importance considering that 2016 showed a 38% increase in sanctions which has brought 3.3 million Euro to the Treasury. The inspections carried out in 2016 revealed that:

  • data subjects are still inadequately informed on data processing;
  • minimum security measures (Annex B to the Personal Data Protection Code) are not always adopted;
  • traffic data are retained far beyond the permitted period of time;

In addition to the above, the Garante issued several sanctions regarding the failure to submit notifications and to provide information or produce documents to the Garante.

Practical actions

Companies providing public services of digital identity and operating in the telemarketing field should thoroughly verify their compliance status with applicable data protection provisions and their ability to adequately and duly demonstrate it. Inspections will also be carried out following circumstantial claims and reports or complaints lodged by data subjects. Companies should therefore further check consent forms, the accuracy of the information provided to data subjects, provide for the full adoption of minimum security measures, ensure the fulfillment of notification requirements to the Garante (where needed) and respect storage limitation.