On April 4, 2013, the Italian Data Protection Authority (hereinafter “DPA”)issued the resolution that implements measures related to the notification of data breaches, under section 32-bis, paragraph 6, of the Data Protection Code.

This new resolution on the obligation to notify the Data Protection Authority (and the individuals concerned, as the case may be) personal data breaches applies to all data controllers holding and processing personal data for the respective business or institutional purposes, and only to the providers of publicly available electronic communications services (hereinafter the “providers”), which are the entities providing the public, on public communications networks, with services that consist mainly or exclusively “in the conveyance of signals on electronic communications networks”.

In addition, the above requirement applies whenever “conventional” electronic communications service providers are involved alongside, e.g., the so-called Mobile Virtual Network Operators (MVNOs). Therefore, the obligation to notify any breach affecting customers’ (or other individuals’) personal data lies with the MVNO, since the latter is – as a rule – the only entity knowing customers’ identities. However, if the service is factually provided jointly with the MNO, which means that the systems affected may be under the MNO’s exclusive control, the MNO will have to disclose all the events and the information concerning the breach to the MVNO, in order for the latter to notify the DPA and – where appropriate – its customers as required by the law.

However, under this new resolution, the providers of publicly available electronic communications services are required to give an initial, albeit summary, notification to the Data Protection Authority of any personal data breach suffered by them within 24 hours from the time they become apprised of such breach, and to make available additional information, if any, by 3 days from the said initial notification.

In addition, the resolution states that those providers have to specify, in the notification to the DPA, the reasons why the breach was not detected immediately along with the measures that were or are intended to be taken in order to prevent this from occurring again, if the breach was not detected at the time the relevant event occurred.

Ultimately, the resolution lays out that those providers have to provide at least the following information to the DPA already in the initial notification of any personal data breach affecting them: 1. Information to identify the provider; 2. A short description of the breach; 3. Specification of the date (including the estimated date) when the breach occurred and the time when the breach was detected; 4. Specification of the place where the data breach occurred, including whether the breach occurred following the loss of mobile devices or media; 5. Specification of the nature and type of the data that are (presumably) affected; 6. A short description of the processing or storage systems used for the affected data, including their location. d. Notify the contracting parties or other individuals the personal data affected by the breach relate to by 3 days from the time the said providers become apprised of the breach; e. Enter the data breach suffered by them in the inventory at the time they notify the breach to the DPA as per paragraph 5 above, and make sure that such additional findings as may be made thereafter, also following further inquiries, are promptly entered as well.

Source: Garante per la protezione dei dati personali