Background Information / Scenario
On February 22nd 2018, the Italian Data Protection Authority (called, the “Garante”) has adopted decision n. 121 (the “Decision”) which offers a description of the way in which the correct application of the provisions of the EU General Data Protection Regulation (“GDPR” or “Regulation”) is going to be monitored and verified. Moreover, it contains further details on the information notice and general good practices when the processing is based on a legitimate interest.
This Decision is a mandatory act on the grounds of paragraph 1021 of the Italian Budget Law n. 205/2017 and should be applicable, unless otherwise provided for in a later moment, only six months after the entry into force of the harmonising decree (“Decree”), which adapts the national privacy legislation to the GDPR. In this respect, it is recalled that the preliminary draft of the Decree was approved on March 21st by the Italian Council of Ministers and still needs to get final approval. In this respect, it is specified that the delegation pursuant to art. 13 of the European Delegation Act 2016-2017 got extended by three months and will expire on 22 August 2018.
In these regards, on April 19th the Garante took a position against the wrong assumption that the deferred application may imply a deferral of activities concerning its investigation or sanctioning functions. The companies, therefore, cannot benefit from a grace period, but – according to the Garante – may well be sanctioned before the applicability of the Decision when violating GDPR provisions.
> How is the Garante going to monitor and verify the correct application of the GDPR?
In order to protect the rights and freedoms of the data subjects, the Garante may exercise the powers conferred upon it by article 58 of GDPR. These powers must be exercised while respecting procedural guarantees and allowing the controller or processor to participate in the proceedings.
In particular, the Garante may, for example:
- prescribe corrective actions by restricting the processing, as well as banning it;
- require information and the disclosure of documents;
- obtain access to data bases or archives;
- carry out other type of inspections and verifications;
- report any crimes subject to public prosecution in regards to all information obtained in carrying out its tasks.
> On the basis of which criteria may an infrastructure be declared as adequate to support the interoperability of formats, in particular with regards to the right to data portability (art. 20 of GDPR)?
The Garante clearly states that, while on the one hand a data subject might, under article 20 of GDPR, have the right to data portability, on the other hand there is no obligation of the controller to introduce or to maintain processing systems that are technically compatible.
Nonetheless, the controller shall fulfil the minimum requirements of formats (“structured”, “commonly used” and “machine-readable”) laid down in the Regulation, in order to facilitate interoperability. In any case, the Garante retains the right to verify, on a case by case basis, if the format is the most appropriate one to guarantee the transmission of personal data.
As a general rule, a format should offer to the data subject a wide margin of portability and allow them to reuse data with very little effort. For this purpose, the controller should submit as much technical information as needed, ensuring the continuity of the services and the semantics of the information.
Moreover, the Garante will verify if any hinderance of legal, technical or financial nature was put in place, refraining or slowing down the access, transmission or reuse of data. Examples of such illegitimate obstacles can be found in the Article 29 Working Party (“WP29“) Guidelines on the right to data portability (e.g., fees asked for delivering data, lack of interoperability or access to a data format or API or the provided format, excessive delay or complexity to retrieve the full dataset, deliberate obfuscation of the dataset, or specific and undue or excessive sectorial standardisation or accreditation demands).
> Under what conditions is a direct transmission of personal data to a different data controller considered technically feasible within the meaning of article 20(2) of GDPR?
In connection to the technical feasibility, which is a precondition to the right to have personal data directly transmitted to another controller within the meaning of article 20(2) of GDPR, the Garante has pointed out the following:
- the possibility to set up a secure communication between the two systems;
- the appropriateness of the receiving system to process incoming data;
- the obligation of the controller to notify the existence of technical obstacles which impede the direct transmission of personal data.
Moreover, the Garante envisages the promotion of initiatives for cooperation between producers and trade associations, with the goal of developing a common set of standards and interoperable formats.
> Which issues must be considered when the processing is carried out on the basis of a legitimate interest as referred to in Article 6(1) (f)?
The controller or third parties who intend to process data on the grounds of a legitimate interest, have to make sure that no fundamental right and freedom or other interest of the data subject prevails the legitimate interest. The Garante clarifies that in situations in which the data subject cannot reasonably expect further processing, the data subject’s interests and rights prevail.
The balancing activity in question, which is ruled by the general principle of accountability (Article 5 of GDPR), needs to be carried out in accordance with the criteria set out in the Regulation and in the WP29 guidelines, having regard to the string of cases in which an existing legitimate interest is assumed to prevail (e.g. processing of personal data of a client or an employee, processing related to video surveillance systems).
> What should the layout of the information notice be and how should it be provided?
According to the Garante, the privacy notice which informs the data subject of the fact that the processing is based on a legitimate interest, should be structured on two layers:
Firstly, a short notice provided in the form of a pop-up should contain the essential information regarding the processing activities. Subsequently, a second, extended notice should provide further details, including the legitimate interest pursued, the subject holding the interest and the existence of the right of the data subject to object to the processing.
Finally, the Garante states that the above-mentioned information shall be explicit, clear and provided in a separate manner.
Practical actions / implications
Given that the application of the Decision is deferred by 6 months and 15 days after the publication of the Decree (so-called vacatio legis), unless the Garante provides otherwise, before that date, the controller or processor who are planning to process personal data on the grounds of a legitimate interest, in order to comply with the indications of the Garante, shall:
1. Before the start of processing personal data, it should be duly considered that:
- the processing should not relate to special categories of personal data as referred to in articles 9 and 10 of GDPR;
- the processing is legitimate only as long as no other ground, according to article 6 of GDPR, would be less appropriate;
- the specific objectives and purposes pursued should be identified in a clear manner;
- the purpose of processing should be lawful and not in contrast with other fields of law;
- the quality of personal data should be safeguarded, in order to guarantee the accuracy and continuous updating of information;
- the collection and the use of data is in accordance to the principle of data minimisation;
- the protection of personal data is assured by design and by default, as well as by the adoption of security measures;
- the data protection impact assessment referred to in article 35 GDPR shall be carried out, (in consideration of the fact that the processing on the ground of legitimate interest, when carried out using new technologies, is likely result in a high risk to the rights and freedoms of the data subjects), without prejudice to the obligation of prior consultation of the Garante (article 36 of GDPR) whenever the outcome of such assessment shows a high residual risk.
2. Submit an information notice that informs the data subject about the fact that their data is being processed on the basis of a legitimate interest, indicating the specific legitimate interest in question as well as highlighting the right to object to the processing.
3. In order to prove transparency and accountability and as a means of good practice, the data subject should be provided with information on the outcome of the balancing activity and disclose the essential information of the data protection impact assessment.