The European privacy regulation (GDPR) can now rely on detailed guidelines from Italian data protection authority on how to comply with it.
After the French and the Dutch data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the “Italian DPA“) issued its 6 step methodology on the GDPR which aims at also increasing awareness on the most relevant changes introduced:
1. More detailed consent and broader legitimate interest
As already provided by the current regime, any type of processing of personal data needs to have a legal basis justifying it. In particular, among others, with reference to
An explicit (but no longer written) consent is required with reference to the processing of sensitive data (e.g. health related data that are now incorporated in the broader “special” category of data) and to the processing based on automated decision making. The latter is a burdensome obligation in case of automated decisions involving health related data since the manual processing of requests might not be economically feasible for companies in some cases. Therefore, other solutions need to be identified to avoid the risk that some customers do not give their consent to the automated processing of their applications.
Also, a relevant point raised by the Italian data protection authority is that if the consent obtained under the current regime meets also the requirements of the GDPR, no new consent is required. On the contrary, if this is not the case, a new consent shall be obtained before the 25th of May 2018.
The legitimate interest shall no longer be identified by means of a decision of the data protection authority. But the balancing test necessary to rely on it in order to be a legal basis for the data processing shall be performed by the data controller. The criteria identified in previous decisions of the Italian DPA relating to for instance biometric data and CCTV still apply. However, there is a new and wider possibility to exploit the legitimate interest as an alternative to the consent.
This is a major change since the scope of the legitimate interest (which would avoid the need to rely on individuals’ consent) is very broad as the GDPR requires to assess whether “a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place“.
2.Longer privacy information notice, but multi-layer
A much wider amount of compulsory information shall be listed in the privacy information notice. The most relevant change in my view is the need to expressly mention the storage period of personal data. This will force companies to adopt a strict internal policy and technical measures to delete or anonymise data on the expiry of the storage period.
Also, the privacy information notice shall be concise, transparent easily accessible and easy to understand. It can rely on standardised icons that shall be consistent across the European Union and will be defined soon by the European Commission. In this respect, the Italian DPA emphasised that the European Privacy Regulation pushes for the implementation of multi-layer privacy information notices in order to ease their understanding by the public. This would be essential given the very large amount of information to be included in the notice under the GDPR.
Also, strict deadlines are provided by the GDPR for the provision of the privacy information notice in case of personal data that is not collected from the data subject. Companies shall put in place procedures to be able to comply with such deadlines, otherwise they will be able to justify why the provision of the privacy information notice requires disproportionate efforts.
A privacy information notice compliant with the GDPR shall be in place before the 25th of May 2018 and therefore some operators that have relationship once a year with their customers might need to move quite fast!
3. Reinforced rights with the novelty of the data portability right
The GDPR sets strict deadlines to comply with the requests of exercise of individuals’ rights and therefore ad hoc internal organisational and technical procedures shall be put in place to address such requests. Also, the European data protection authorities might issue some guidelines on the potential “reasonable fee” to be paid by individuals in extraordinary circumstances for the exercise of their rights.
The rights of access and erasure (the so called “right to be forgotten“) are reinforced, while the new rights of restriction and portability are introduced. In particular, the right of restriction allows to limit the further processing of personal data, pending a decision on it, and obliges to adopt a procedure to “mark” such data up to the expiry of this transitional period. While with reference to the data portability right, the Italian DPA refers to the opinion on the Article 29 Working Party.
4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains
Data processing agreements with data processors shall be amended since the GDPR provides for a large number of obligations to be imposed on data processors (i.e. whoever processes personal data on behalf of the data controller), including the obligation to have in place a record of data processing activities, to implement adequate technical and organisational measures and, if it falls under specific categories, to appoint a data protection officer. The European Commission is considering the adoption of standard clauses for data processing agreements, but the main change relates to the controls to be implemented to monitor data processors.
A positive change is that data processors can appoint sub-processors, but data processors remain liable towards the data controller for the activities of their sub-processors, unless “it proves that it is not in any way responsible for the event giving rise to the damage“.
Interestingly, the Italian DPA provides that the individuals accessing to personal data shall still be appointed as “persons in charge of the data processing“ (incaricati del trattamento), which was a peculiarity of the Italian Privacy Code. Indeed, in order to prove the implementation of adequate technical and organisational measures, strict instructions shall be given to whoever has access to personal data.
5. Need to adopt an accountability program
The accountability principle is one of the major changes introduced by the General Data Protection Regulation. This requires that companies processing personal data are able to prove to have adopted the measures necessary to comply with the GDPR by means of a so called “accountability program“.
The accountability program finds two of its main elements in the implementation of a privacy by design and a privacy by default approach and in the performance of a privacy impact assessment that can be followed by a consultation with the competent data protection authority.
Such elements require that an assessment on the legality of the data processing activities is no longer performed by the data protection authority, but needs to be carried out by each entity processing personal data. This is the reason why the notification to the Italian DPA and the obligation to run a prior check with it in some circumstances will be removed with the GDPR.
Other elements of the accountability program are
- The establishment of a record of processing activities which the Italian DPA recommends to any company, regardless of their size and for which it might issue a template;
- The implementation of “appropriate technical and organisational measures to ensure a level of security appropriate to the risk“, which can no longer be limited to the minimum security measures provided so far by the Italian privacy code. But, the Italian DPA is considering to issue guidelines on the security measures to be put in place;
- The adoption of a procedure for the notification to the Italian DPA and the communication to the relevant individuals of data breaches, “unless the controller is able to demonstrate [—] that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons“. For this purpose, data controllers shall also “shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken“, regardless of whether it has been notified to the Italian DPA and make it available upon request; and
- The appointment of a data protection officer on which the Article 29 Working Party issued an opinion.
6. No major change for transfers of data outside the EEA
Principles and tools as those currently provided remain for the transfer of personal data outside of the European Economic Area. It is possible to rely on codes of conducts, but those shall be expressly approved by the competent data protection authority.
Also, it is not possible for courts of non-EEA countries to order the transfer of personal data outside the EEA. This shall occur either on the basis of international treaties or if the relevant EU Member State recognises the public interest to the data transfer.