Background information/Scenario

On 12 October 2017, the Italian Data Protection Authority (the “Garante”) published its usual newsletter containing details on the Inspection Plan for the second part of 2017. The plan aims at indicating the prospected actions which will be carried out in collaboration with the Italian finance police having in mind the application of the new EU General Data Protection Regulation.

Main issues

The most relevant areas in which the Garante will focus its inspection’s activity in next months will be:

  • Public System for the Digital Identity of Citizens and Businesses (“SPID”);
  • Italian consulates abroad that use external agencies to issues visas;
  • healthcare;
  • Italian National Institute of Statistics (“ISTAT”) and other public or private organisations that produce statistics;
  • telemarketing;
  • debt-recovery activities;
  • companies organising lotteries and prize contests;
  • recruitment companies.

More generally, the Garante’s activities will check compliance with the general principles of data protection and in particular the:

  • adoption of appropriate measures to ensure the security of processing;
  • lawfulness and fairness of processing;
  • compliance with the obligation of information to the data subject, and that his/her data are relevant and not excessive with regards to the purposes of the processing;
  • validity of consent;
  • data retention.

Practical actions/implications

In the first part of 2017, inspections carried out by the Garante in the private and public sectors were prolific, collecting about € 1.700.000 from sanctions. Bearing this in mind, companies will have to intensify their work in order to align their data protection compliance framework to the provisions of the EU General Data Protection Regulation.

Companies whose business falls under these areas will need to pay a great deal of attention as they now find themselves under the spotlight of the Garante.   Business activity should be carried out on a solid legal compliance basis which must be demonstrable at any time upon request of the Authority or of the data subjects.