The Italian Supervisory Authority’s inspection plan, already under way for the July to December 2019 period, was published after the September 12, 2019’s Resolution was taken.
The inspection activity, which may be carried out either directly by the officials of the Authority’s Office or through the Financial Force of the Italian Republic, i.e. “Guardia di finanza”, shall be carried out to the initiative of the Authority and shall be directed at:
a) inquiries in relation to profiles of general interest for categories of data subjects in the context of:
– the processing of personal data by means of applications for the management of reports of misconduct (c.d. whistleblowing);
– the processing of personal data by banking institutions, with specific reference to flows to the accounts’ Registry;
– the processing of personal data by intermediaries for activities related to electronic invoicing;
– the processing of personal data by companies for marketing purposes;
– the processing of personal data by public bodies, in relation to large scale databases;
– the processing of personal data by companies with particular reference to the profiling of data subjects having subscribed to loyalty cards;
– the processing of personal data by companies in the field known as “food delivery”;
– the processing of personal data in the Health sector by private companies;
b) checks on persons, public and private, belonging to homogeneous categories, under the lawful conditions for the processing of personal data and under the conditions for consent where processing is based on this assumption, in compliance with the disclosure requirements and on the duration of data retention. With that in mind, special attention is paid to substantive profiles of the processing which explain significant effects on the data subjects.
In any case, the Office may carry out further inspection and audit activities, or follow-ups from reports or complaints.