On 26th of July 2018, for the first time after the application of the EU Regulation 2016/679 (hereinafter, “GDPR”), the Italian Data Protection Authority (hereinafter, “the Garante”) published a decision, in order to identify the principal area of its inspection activities (which are to be carried out also in collaboration with the Italian finance police) during the second semester of 2018. The thematic areas that will be involved in the inspections are: large databases, credit institutions and telemarketing.

Main Issues

The inspection activities will focus on:

  • data processing activities carried out by either private or public companies using large databases;
  • security measures adopted by credit institutions (with a special attention to data breach reporting);
  • processing of personal data for telemarketing

In particular, the audits are likely to concern the aforementioned actors’:

  • compliance with the obligation to inform the data subjects,
  • legal basis for processing and the compliance with the conditions for consent,
  • definition and application of retention period of personal data,
  • adoption of appropriate measures to ensure data protection,

and the Garante will take into consideration, in particular, the compliance with the obligations:

  • to keep the record of processing activities (Article 30 GDPR);
  • to carry out data protection impact assessments (Article 35 GDPR);
  • to designate a data protection officer (Article 37 GDPR).

Furthermore, the inspections will also cover the inquiries opened following data subjects’ reports or complains, with significant attention to the most serious infringements.

The work accomplished in the first semester of 2018: a comparison to 2017

In the first semester of 2018, based on the information provided by the Garante, an increase of the fines collected by the public Treasury can be observed. In fact, the sanctions imposed by the Garante have increased by 162% since last year, reaching a total of 4.500.000 euros collected, most of which as a result of sanctions imposed on telephone providers. Furthermore, the amount of the contested sanctions has also increased, by more than 118% over the last year. As far as the criminal actions are concerned, the number remains stable at 19, most of which are concerned with violations from the Data Protection Authority’s orders, violation of security measures, and violations of the regulation for employers’ remote monitoring.

Practical implications

The companies and public entities that process personal data (in particular those who manage large databases, the credit institutions and those who carry out telemarketing activities) shall, especially, make sure that:

  • the data subjects are given the information provided for by Art. 13 and 14 GDPR;
  • the processing activities are carried out on lawful legal basis and, when the processing is based on consent, that the conditions for consent set out in art. 7 GDPR are met;
  • adequate periods of retention of personal data are defined and applied;
  • a record of processing activities is correctly kept (except for the cases provided for by art. 30(5) GDPR);
  • in case of processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment is carried out (prior to the processing), pursuant to art. 35 GDPR;
  • a Data Protection Officer has been designated (in cases where its designation is mandatory pursuant to art. 30(1) GDPR).