The administrative penalties scheme under the Italian Data Protection Code (Legislative Decree 30 June 2003 n. 196) has recently been substantially amended.
Article 44 of the Decree, dated 18 December 2008, no. 207 (published in the Italian Official Gazette no. 304 dated 31 December 2008) tightens the administrative penalties under the Italian DP Code:
- by doubling the amounts of the original sanctions (in some cases the amount of the minimum and maximum fines have more than doubled);
- by imposing additional administrative penalties in case of violation of certain specific requirements of the Italian Data Protection Code; and
- by introducing new sanctions for new offences.
It is likely that the administrative penalties scheme has been revised. The experience of other Italian regulatory sectors (where an increase in sanctions has increased market operators’ focus on their legal obligations and led to a reduction in the number of violations) has most likely led to the decision to implement a more severe punishment scheme in the data protection sector, as part of the Italian Data Protection Authority’s plan to ensure that controllers are more focused on data protection and take more responsibility.
1. Failure to provide information, or provision of inadequate information, to the data subject (Article 161 of the Italian DP Code).
The fine for failure to provide an information notice (or adequate information) to the data subject, will now be between 6,000 and 30,000 EUR (the original fine was in the region of 3,000-18,000 EUR);
2. Failure to comply with requirements in case of assignment of data or other provisions on processing of data (para 1 of Article 162 of the Italian DP Code).
The fine for failure to comply with these requirements will be from 10,000 to 60,000 EUR (the original fine was 5,000- 30,000 EUR);
3. Unlawful disclosure of medical data (para 2 of Article 162 of the Italian DP Code)
The fine for failure to comply with the obligation only to disclose medical data to the data subject through a physician expressly identified by the data subject or by the controller will be from 1,000 to 6,000 EUR (instead of the original amount of 500-3,000 EUR);
4. Failure to notify or incomplete notification (Article 163 of the Italian D Code)
The fine for failure to comply with a notification requirement on time will be between 20,000 and 120,000 EUR (instead of the original amount of 10,000-60,000 EUR);
5. Failure to provide the Garante with requested information/documents (Article 164 of the Italian DP Code)
The fine will be 10,000- 60,000 EUR (instead of the original amount of 4,000 -24,000 EUR) where the controller fails to provide the Garante with information or documents formally requested by the Authority;
6. Minor violations and more serious violations (new Article 164-bis of the Italian DP Code)
In contrast to the original set of rules concerning administrative fines, according to the new penalties scheme, a reduction of two fifths can now be applied to fines where the violations are minor, considering the financial or social nature of the processing. This applies to the fines above.
However, a fine of 50,000- 300,000 EUR will be imposed where:
- there are more serious violations of the provisions (Articles 161, 162 para.1, 162 para 2-bis, 162 para 2-ter, and 163);
- more than one of the provisions were breached; and
- the processing relates to a database which is significant in size or content.
A company cannot benefit from a removal of the penalty in return for payment of a reduced amount (i.e. “pagamento in misura ridotta”).
In more serious cases, in particular whenever the damage suffered is more substantial or if the violation concerns several data subjects, the upper and lower thresholds of the applicable fines under Articles 161 to 164-bis shall be doubled. Additionally, the fines under Articles 161 to 164-bis may be increased by up to four times if they prove ineffective on account of the offender’s financial status.
7. Failure to implement minimum security measures under Article 33 of the Italian DP Code
The original penalty (Article 169 of the Italian DP Code) for failure to implement minimum security measures was imprisonment of up to 2 years (unless within the Authority’s deadline, the controller complies with any conditions imposed by the Garante as a result of administrative proceedings which established that the minimum security measures had not been implemented) OR the payment of a fine of 10,000 - 50,000 EUR.
Under the new administrative penalties scheme (para 2-bis of Article 162, and Article 169 of the Italian DP Code) failure to comply with this requirement will now be subject to both penalties, i.e. imprisonment of up to 2 years (unless, within the Authority’s deadline, the controller complies with any prescriptions imposed by the Garante as a result of administrative proceedings and payment of an increased fine now 20,000-120,000 EUR without the possibility of removing the charge by payment of some of the fine.
8. A significant change has also been introduced by Article 44 of the d.l. 207/2008
Under the new provisions of para 2-bis of Article 162 of the Italian DP Code, whenever personal data are processed without the consent of the data subject (including, without limitation, processing of traffic data, processing of phone numbers collected on phone directories, White Pages, processing of sensitive data, etc.) the offender shall be subject to a criminal sanction (i.e. imprisonment for a period of time depending on the kind of processing and/or of the type of data) and to a new administrative fine of between 20,000-120,000 EUR;
9. A specific sanction has now been introduced
Where there is a failure to comply with measures set forth under general prescriptions of the Garante or in case of failure to follow a prohibition by the Garante on further processing personal data (e.g. data collected unlawfully) (para. 2-ter of Article 162 of the Italian DP Code): in this case the fine will be in the range of 30,000 to 180,000 EUR.
Finally, in all violations under Articles 161-164-bis, the offender shall be responsible for publishing the Authority’s order in the newspapers identified in the decision and for bearing the relevant costs.
D.L. 207/2008, Article 44 has also amended the amount of fines provided under para 1 of Article 62 of the Italian Consumers Code (D.lgs. 206 dated 6 September 2005). Therefore, where there is failure to comply with the provisions on conclusion of a contract with the consumers (including the use of distance communication technology without the consumer’s consent) the professional can be sanctioned with a fine of between 3,000 to 18,000 EUR (instead of 516 - 5,165 EUR).