On February 1st 2018 the Italian Data Protection Authority (DPA) published the inspection plan for the first semester of 2018. According to this inspection plan, the Italian DPA will focus its controls on processing activities of health data for research purposes, rating the solvency of enterprises, national statistical systems, the Italian Public System of Digital Identity (SPID), telemarketing, processing activities of sensitive data and the compliance of public and private entities with the principles of information, freedom of consent, data minimization and data retention.
Specifically, the Italian DPA inspection activity will concentrate on:
1. assessments with reference to profiles of general interest for data subject categories in the context of:
- transfer of data concerning health from the Local Health Authorities (“ASL”) to third parties for their research purposes;
- a preliminary check on the SIM (Integrated System of Microdata) and other statistical information systems carried out by the Italian National Statistical Institute (“ISTAT”), as per the opinion on the national statistical program of October 20 2015;
- processing of personal data for the issuing of the SPID;
- processing of personal data carried out by companies for telemarketing activities, in relation to the numerous data subjects’ complaints received by the Authority;
- data processing carried out by rating companies on the risk and solvency of companies.
2. security measures implemented in processing activities, carried out by private and public entities, concerning sensitive data (as defined in Section 4 of the Italian Privacy Code);
3. monitoring the compliance of public and private entities with the rules on information, freedom of consent, data minimization and data retention.
At the moment the Special Privacy Unit of the Italian Finance Police (“Nucleo Speciale Privacy della Guardia di Finanza”) has planned 155 inspections, 15 of whom are concerning the processing indicated under point a), 20 are about the security measures under point b) and for the most part, 120 controls, will be carried out on the entities and processing activities indicated under point c).
Other inspections may, eventually, arise in relation to reports and complaints with particular attention to specific and serious violations.
Considering that the activities under point b) and c) are the ones most impactful for private companies, it is fundamental for any Data Controller to be able to demonstrate their compliance with the Italian Privacy Code and, after 25th of May, also with the GDPR.
It is particularly advisable to:
- in case of telemarketing activities, make sure that a specific and informed consent for marketing purposes was collected prior to processing and that the recipient of the promotional communication is not entered in the “Register of the Oppositions”, pursuant to Law n. 5/2018 concerning the new provisions on the registration and functioning of the Register of Oppositions and creation of national prefixes for telephone calls for statistical, promotional and market research purposes;
- in case of processing of sensitive data, make sure that the processing complies with the requirements provided in Art. 26 of the Italian Privacy Code and that, after 25th of May 2018, that at least one of the legal bases provided in Art. 9.2 of the GDPR applies;
- map all the processing activities taking place together with the related security measures and data retention time, in order to be able to demonstrate a systematic and diligent approach to data protection compliance, and thus be able to respond swiftly to any question arising from the Italian DPA.