Background Scenario

On 29 December the Italian Budget Law for 2018 was published in the Italian Official Journal. The law at stake, which is probably one of the most relevant laws issued at the end of each year in Italy, contains some provisions that impact key elements of the forthcoming EU data protection framework – Regulation EU 2016/679 (“GDPR”), such as:

  1. “legitimate interest”, as lawful basis for data processing pursuant to Article 6.1.f GDPR, introducing a mandatory prior notification to and authorisation from the Italian Data Protection Authority (“the Garante”)of the processing activities based on legitimate interest;
  2. “right to data portability” pursuant to Article 20 GDPR, tasking the Garante to define the verification procedures concerning data controllers’ compliance with this new principle.

Main Issue

The provisions of the Budget Law concerning data protection are those contained in Section 1, paragraphs 1020- 1025 (being 1021-1023 the core provisions), whose distinctive elements can be summarized as follows:

Paragraph 1021 provides that the Garante, by March 2018, shall:

  • define how to supervise the application of the GDPR;
  • define methods for verifying the presence of adequate infrastructures established by the data controller to develop interoperable formats that enable data portability, pursuant to Article 20 of the GDPR;
  • provide a template of the “information form” (“Template”) to be completed by the data controllers who carry out processing based on the legitimate interest that involves the use of new technologies or automated tools;
  • define guidelines or best practices on the processing of personal data based on legitimate interest.

Paragraph 1022 contains a provision that seriously impacts the current data protection framework stating that:

  • data controllers who intend to carry out processing based on legitimate interest that include the use of new technologies or automated tools must promptly communicate such processing to the Garante;
  • this communication shall occur prior to the processing, using the Template which, pursuant to article paragraph 1021, should be provided by the Garante by March 2018;
  • the Template shall contain information about the object, the purposes and the context of the processing and shall be sent by the data controller to the Garante;
  • if no response is received from the Garante in the following fifteen working days, the data controller may commence the processing activity.

Pursuant to Paragraph 1023, after receiving the Template:

  • the Garante opens an investigation based on the information received from the data controller;
  • if the Garante foresees the risk that the processing may lead to an infringement of the rights and freedoms of data subject, the processing is suspended for a maximum period of thirty days;
  • during this period, the Garante may request further information and integration from the data controller;
  • if the Garante considers that the processing violates of the rights and freedoms of the data subject in any way he will forbid the processing.

Practical implications

The aforementioned provisions clarify that organisations that want to process personal data based on legitimate interest need to go through a procedure with the Garante of prior notification and authorisation. This seems not to be needed in other EU Member States where organisation/controller will be free to apply such lawful ground of processing (according to Article 6.1.f. GDPR) without prior notification and authorisation of the competent Data Protection Authority “provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller”. Business wise, it is definitely a significant difference if one thinks that legitimate interest may be used also to carry out marketing related data processing – see Recital 47 GDPR which states that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.

In the next two months the Garante is expected to issue the attended guidelines on legitimate interest. Furthermore, the Italian Government, in virtue of the of the enabling Law n. 163/2017 (see Article 13), shall soon issue a legislative decree which aims to adapt the national law to the provisions of the GDPR. This means that the provisions of the Budget Law are likely to be further specified before 25 May 2018.

Article 29 Working Party is also expected to issue further guidelines concerning the use of legitimate interest.

Until then, organisations that intend to carry out processing based on legitimate interest shall:

  • make sure that decision-making in relation to the balance between the interests of the controller and the rights of data subjects are documented;
  • (prior to the processing) send the Template containing information about the object, the purposes and the context of the processing to the Garante seeking the relevant authorisation;
  • if the authorisation is granted, include legitimate interest in the information that must be supplied to the data subject, pursuant to Articles 13 and 14 GDPR;
  • ensure that data processed on the basis of legitimate interest is subject to a right to object pursuant to Article 21 GDPR.