Data Protection & Privacy in Italy

Law and the regulatory authority

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The primary legislation governing the processing of personal data by private entities and public institutions in Italy is the EU General Data Protection Regulation (GDPR) (2016/679). Specific rules for privacy in the electronic communications sector are contained in EU Directive 2002/58/EC. Specific Italian legislation on data protection is set forth in the Personal Data Protection Code (Legislative Decree 196/2003), which implements EU Directive 2002/58/EC and has been largely amended by Legislative Decree 101/2018 in order to align its content with the GDPR.

EU Directive 2016/680 specifically regulates the processing of personal data by public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. It has been implemented in Italy by Legislative Decree 51/2018.

Additional sector-specific guidance is set out in the supervisory authority’s decisions, recommendations and guidelines (eg, as regards system administrators and the processing of personal data relating to fidelity cards).

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Italian Data Protection Authority oversees data protection legislation. Its investigative powers include the ability to obtain access to information – including personal data – from the data controller or processor and the power to carry out on-premise audits and inspections. When carrying out formal inspections, the authority can demand copies of manual records and databases. The decisions of the authority are published.

Data protection rules may also be enforced by judicial authorities when they hear claims brought by individuals.

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

Yes. On a general level, supervisory authorities are bound under Article 61 of the GDPR to provide each other with relevant information and mutual assistance, with particular regard to information requests and supervisory measures, such as the carrying out of authorisations and consultations, inspections and investigations.

Moreover, Article 60 of the GDPR envisages provisions on cooperation between supervisory authorities in cases of cross-border processing between EU member states. In this latter case, Articles 56(1) and 56(2) identify, respectively, the lead supervisory authority and one or more concerned supervisory authorities. The lead authority has primary responsibility for dealing with the cross-border data processing activity, while concerned authorities must be involved in the decision in order to express their views on the matter. In a cross-border processing scenario, all authorities involved are legally obliged to exchange all relevant information with each other, while the lead authority must submit a draft decision to the concerned authorities in order to take due account of their views.

When the lead and concerned authorities are unable to reach a common decision, or where there is no agreement on which supervisory authority is the lead authority, Articles 63 and following of the GDPR envisage a consistency mechanism whereby the European Data Protection Board has the final word on the matter by issuing of a binding decision.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Yes. Breaches of the GDPR and the Personal Data Protection Code are subject to the administrative sanctions provided under Article 83 of the GDPR, which can reach up to €20 million or, for undertakings, up to 4% of total worldwide annual turnover, if higher. Moreover, under Article 58 of the GDPR the supervisory authority may impose a temporary or definitive limitation including a ban on processing.

Under EU law, the provision of criminal penalties is generally determined by member states. In Italy, the Personal Data Protection Code includes several criminal provisions relating to certain instances of wilful unlawful processing of personal data and to the wilful provision of false information to the supervisory authority. Only natural persons may incur a criminal sanction, while both natural and legal persons may incur an administrative sanction.

Administrative sanctions may be imposed by the supervisory authority; criminal penalties may be issued only by the judicial authority.

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The GDPR applies to both private and public organisations when they process personal data, even when public organisations perform activities in the public interest.

However, the GDPR does not apply to some instances of personal data processing, as provided by Article 2(2):

• in the course of an activity which falls outside the scope of EU law;
• by the member states when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union, which regulates EU competence in matters of foreign and security policy; and
• by a natural person in the course of a purely personal or household activity (the European Court of Justice in decision C‑212/13 has held that this exemption should be interpreted narrowly (Paragraph 30)).

Legislative Decree 51/2018, which implements EU Directive 2016/680, specifically regulates the processing of personal data by public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Yes. Legislative Decree 51/2018, which implements EU Directive 2016/680, specifically regulates the processing of personal data by public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

More specifically, interception of communications is typically regulated by the Criminal Code and the Code of Criminal Procedure, as recently amended by the Legislative Decree 216/2017.

Where the monitoring and surveillance of individuals are carried out by private entities or by public authorities outside the purposes of Legislative Decree 51/2018, the GDPR and the Personal Data Protection Code apply.

Electronic marketing is regulated by the Personal Data Protection Code, in the part which transposes the EU e-Privacy Directive (2002/58/EC), and by the relevant decisions and guidelines of the Italian Data Protection Authority.

Identify any further laws or regulations that provide specific data protection rules for related areas.

Being a so-called ‘omnibus regime’, EU and Italian data protection law is not sector-specific and, as such, generally applies to all areas where the processing of personal data takes place.

More sector-specific guidance is typically set forth in the Italian Data Protection Authority’s decisions, recommendations and guidelines, some of which were adopted before the GDPR became applicable but are still in force (eg, as regards system administrators, the processing of personal data relating to fidelity cards and social media marketing). Regarding e-health records, the Agency for Digital Italy has published a webpage containing the relevant legislation.

What forms of PII are covered by the law?

Article 2(1) of the GDPR covers the processing of personal data wholly or partly by automated means (eg, data processed by means of a computer or any other electronic device) and processing other than by automated means of personal data which forms or is intended to form part of a filing system (eg, a paper-based archive).

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

As provided by Article 4(2) of the GDPR, EU and Italian data protection law may apply to the processing of personal data which concerns natural persons who are in Italy, but performed by entities not established in Italy, where the processing activities are related to:

• the offering of goods or services (even free of charge) to such natural persons in Italy; or
• the monitoring of their behaviour, as far as their behaviour takes place within Italian territory.

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

EU and Italian data protection law applies to any operations that are performed on personal data.

The law draws a distinction between the data controller (ie, the entity that determines the purposes and means of the personal data processing (Article 4(7) of the GDPR)) and the data processor (ie, the entity that processes the personal data on behalf of the data controller (Article 4(8) of the GDPR)).

The law provides for different duties for data controllers and processors, although some obligations apply to both (most notably, security obligations under Article 32 of the GDPR).

Legitimate processing of PII

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Yes. Any processing of personal data must be grounded on one or more of the six legal bases provided by Article 6(1) of the GDPR. In particular, any processing of personal data is lawful when the data subject has provided their consent or where the processing is necessary:

• for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
• for compliance with a legal obligation to which the data controller is subject;
• in order to protect the vital interests of the data subject or of another natural person;
• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Does the law impose more stringent rules for specific types of PII?

Yes. The processing of certain categories of personal data which pertains to intimate aspects (eg, genetic data and data concerning health, or revealing racial or ethnic origin – so-called ‘special categories of personal data’) is generally prohibited under Article 9(1) of the GDPR. The processing of such data must be grounded on one of the narrow exceptions set forth Article 9(2) of the GDPR, provided that one of the legal bases provided for in Article 6(1) of the GDPR also applies.

Similarly, the processing of personal data relating to criminal convictions and offences must be based on one of the legal bases provided by Article 6(1) and carried out under the control of the official authority or when the processing is authorised by law.

Data handling responsibilities of owners of PII

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Yes. Pursuant to Article 13 of the GDPR, where personal data is collected directly from the individual, the data controller must provide the following information:

• the identity and contact details of the controller and, where applicable, of the controller's representative;
• the contact details of the data protection officer, where present;
• the purposes of the processing for which the personal data is intended and the relevant legal basis;
• where the processing is based on the legitimate interest ground, which legitimate interests are being pursued;
• the recipients or categories of recipients of the personal data, if any;
• whether the controller intends to transfer personal data to a third country or international organisation, along with further information regarding the lawfulness of the transfer;
• the period for which the personal data will be stored or, if that is not possible, the criteria to determine that period;
• the existence of each data subject’s rights;
• where the processing is based on the data subject’s consent, the existence of the right to withdraw consent at any time;
• the right to lodge a complaint with a supervisory authority;
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
• the existence of automated decision making, including profiling, which produces legal effects or similarly significantly affects the data subject, and meaningful information about the logic involved, as well as the significance and possible consequences of such processing for the data subject.

Where personal data is not collected from the data subject, pursuant to Article 14 of the GDPR, the data controller shall provide the data subject with the same information set forth by Article 13, in addition to the categories of personal data concerned, the source from which the personal data originates and whether it came from a publicly accessible source.

This information must be provided prior to the processing.

When is notice not required?

Pursuant to Articles 13(4) and 14(5)(a) of the GDPR, the provision of information to the data subject is not required insofar as the data subject already has the information.

Moreover, where personal data is not collected from the data subject, under Articles 14(5)(b) to (d) of the GDPR, the provision of information is not required in the cases where, respectively:

• provision proves impossible or would involve a disproportionate effort;
• obtaining or disclosure is expressly laid down by EU or member state law to which the controller is subject; or
• the personal data must remain confidential subject to an obligation of professional secrecy.

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Yes. EU and Italian data protection law endeavours to offer individuals a high level of control over their personal data. This is a primary feature of the fundamental right to the protection of personal data, enshrined in Article 8 of the Charter of Fundamental Rights of the European Union, on which the adoption of the GDPR is grounded. Many provisions of the law endeavour to provide individuals with a high degree of choice or control over the use of their data. The subjective rights granted to data subjects under Chapter III of the GDPR are the provisions where this aim is most evident.

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Yes. Pursuant to Article 5(1)(d) of the GDPR, personal data must be accurate and, where necessary, kept up to date.

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Pursuant to the data minimisation principle set forth in Article 5(1)(c) of the GDPR, the controller must process only the personal data that is adequate, relevant and necessary to achieve the legitimate aim pursued.

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

In principle, the controller may process the personal data for any purpose, as long as it is legitimate.

The GDPR has adopted the principle of purpose limitation in Article 6(1)(d), pursuant to which personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Yes. Article 6(4) of the GDPR envisages a general test of compatibility between the original and the new purpose, pursuant to which the latter is allowed where the controller has successfully carried out and documented the outcome of such test.

Processing for new purposes is also allowed where the data subject has provided their consent or where the processing is based on the law.

Moreover, pursuant to Article 6(1)(d), processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not to be considered incompatible with the initial purposes, where it respects Article 89(1).

Security

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Both controllers and processors are accountable for the security measures they have implemented. Article 32 of the GDPR requires the adoption of appropriate security measures – both technical and organisational – by taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons.

In 2018 the EU Agency for Network and Information Security issued both a handbook on the security of personal data processing, which provides guidance on the minimum technical standards to be provided by companies for personal data processing, and technical guidelines for the implementation of minimum security measures for digital service providers, which aim to provide a common approach at the EU level regarding security measures to be implemented by digital service providers. 

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

Yes. In case of a data breach, the controller must, without undue delay and, where feasible, no later than 72 hours after having become aware of the breach, notify the supervisory authority. The data controller must provide to the authority the information set forth in Article 33(3) of the GDPR, which includes:

• the nature of the personal data breach;
• the categories and approximate number of data subjects concerned;
• the likely consequences of the breach; and
• the measures taken or proposed to be taken to address it and mitigate its effects.

The supervisory authority need not be informed of the breach where it is unlikely to result in a risk to the rights and freedoms of data subjects, while both the authority and affected individuals must be informed where the breach is likely to result in a high risk for the persons concerned, under Article 34 of the GDPR.

EU supervisory authorities have provided guidance on data breaches in their relevant guidelines. The Italian Data Protection Authority has made available a template for the notification of data breaches: www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9128501. 

Internal controls

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

Yes. The appointment of a data protection officer (DPO) is mandatory under specific circumstances. Under Article 37 of the GDPR, as interpreted by the EU supervisory authorities’ relevant guidelines, organisations must appoint a DPO where their core activities consist of processing operations which require regular, systematic and large-scale monitoring of data subjects, or the large-scale processing of special categories of data or data relating to criminal convictions and offences.

According to Paragraph 2 of the guidelines, unless it is obvious that an organisation is not required to designate a DPO, data controllers and processors should document and update over time the internal analysis carried out to determine whether a DPO is to be appointed.

Under Article 39, the DPO has the following tasks, which must be performed with due regard to the risk associated with the relevant processing operations:

• inform and advise the controller or the processor and the employees of their obligations pursuant to data protection law;
• monitor compliance with data protection law and with the policies of the controller or processor in relation to personal data protection, including the assignment of responsibilities, awareness raising, training and audits;
• provide advice where requested regarding the data protection impact assessment and monitor its performance; and
• cooperate with and act as the contact point for supervisory authorities.

The Italian Data Protection Authority has published an informative one-page guide on the DPO: www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/6383594.

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

Yes. Under Article 30 of the GDPR, both controllers and processors (and, where applicable, their representatives) must maintain a record of processing activities. This obligation does not apply where the organisation employs fewer than 250 persons, unless the processing it carries out is likely to result in a risk to data subjects, is not occasional or includes special categories of data or data relating to criminal convictions and offences. Such exceptions are to be interpreted in a restrictive way, on the basis of the Article 29 Working Party position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) of the GDPR.  

Moreover, pursuant to Article 24(2) of the GDPR, where proportionate in relation to their activities, controllers must implement appropriate data protection policies.

Are there any obligations in relation to new processing operations?

Yes. Article 25 of the GDPR envisages data protection by design and by default obligations towards data controllers.

Pursuant to Article 25(1) of the GDPR, the controller must, prior to the processing, implement appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing, in order to meet GDPR requirements.

Moreover, Article 25(2) of the GDPR mandates the controller to implement appropriate technical and organisational measures to ensure that only personal data which is necessary for each specific purpose of the processing is processed by default.

Finally, the controller must perform a risk assessment on data subjects’ rights prior to any new processing activity, in order to determine both the security measures to be implemented and the need to carry out a full-fledged data protection impact assessment on the processing.

Registration and notification

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

No.

What are the formalities for registration?

Not applicable.

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Not applicable.

On what grounds may the supervisory authority refuse to allow an entry on the register?

Not applicable.

Is the register publicly available? How can it be accessed?

Not applicable.

Does an entry on the register have any specific legal effect?

Not applicable.

Are there any other public transparency duties?

Not applicable.

Transfer and disclosure of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

Prior to engaging an entity which processes personal data on its behalf (ie, a data processor), under Article 28(1) of the GDPR the data controller must ensure that the processor provides sufficient guarantees of compliance with the law. Moreover, under Article 28(3), the processing of personal data between a data controller and a data processor must be regulated by a contract or other legal act that is binding on the processor and contains the minimum content required under such provision.

Conversely, the disclosure of personal data from a data controller to another controller amounts to processing of personal data and therefore requires the occurrence of a legal basis among those provided under Article 6(1) of the GDPR.

Data subjects must be informed beforehand of the possible disclosure of their personal data to a recipient or category of recipients, under Articles 13(1)(e) and 14(1)(e).

Describe any specific restrictions on the disclosure of PII to other recipients.

There are no specific restrictions.

Is the transfer of PII outside the jurisdiction restricted?

Personal data flows freely within the European Economic Area (EEA) and countries that ensure an adequate level of protection pursuant to a European Commission decision (Article 45 of the GDPR).

Under Article 46 of the GDPR, other notable legal grounds for the transfer of personal data outside the EEA include model clauses, the EU-US Privacy Shield for transfers to the United States, codes of conduct and certification mechanisms and the adoption of adequate rules of conduct within the framework of companies belonging to the same group (binding corporate rules).

Personal data may also be occasionally transferred in the exceptional circumstances provided for by Article 49 of the GDPR, as interpreted by the relevant EU supervisory authorities’ guidelines.

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

No. Notification to the supervisory authority is required only where organisations wish to rely on the very exceptional provision set forth in Article 49(1)(2).

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers (whether by service providers or PII owners)? 

Restrictions on personal data transfers outside the EEA also apply to onward transfers from the third country or international organisation to another third country or international organisation, under Article 44 of the GDPR.

Rights of individuals

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Yes. The right of access to personal data is provided under Article 15 of the GDPR.

This right may be exercised by the data subject by any means (eg, by contacting the data controller via email or fax). However, the data controller, where possible, should provide remote access to a secure system which provides the data subject with direct access to the personal data (Recital 63).

Under Article 12(5) of the GDPR, where requests from a data subject are manifestly unfounded or excessive, the controller may refuse to act on the request.

The possibility and conditions for EU or member state law to provide for limited and sector-specific restrictions to this and other rights are set forth in Article 23 of the GDPR, subject to EU fundamental rights law requirements.

Do individuals have other substantive rights?

Yes. Data subjects have the following rights under the GDPR:

• the right to obtain from the controller the rectification of inaccurate or incomplete personal data under Article 16;
• the right to obtain the erasure of their personal data in cases provided under Article 17; and
• the right to obtain the restriction of processing in the cases provided under Article 18.

Article 20 gives data subjects the right to obtain their personal data which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit such data to another controller, where the legal basis for the processing is the data subjects’ consent or the performance of a contract.

Under Article 21, where the processing is based on a legitimate interest or on the performance of a task carried out in the public interest or in the exercise of official authority, the data subject has the right to object to the processing.

Finally, Article 22 provides individuals with the prima facie right not to be subject to a decision based solely on automated decision making which produces legal effects or similarly significantly affects the individual.

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Yes. Data subjects have the right to obtain compensation for both material and non-material damages suffered as a result of a breach of the GDPR, under Article 82. Under Italian tort law, the plaintiff must be able to show both a breach of the law and the actual occurrence of (even non-material) damage.

Both the controller and processor are jointly and severally liable toward the data subject. The entity that has paid full compensation is entitled to claim back from the other entity involved in the same processing part of the compensation corresponding to their responsibility.

While the controller is liable for the damage caused by any processing which infringes the GDPR, the processor is liable only where it has infringed specific GDPR provisions addressed to processors or where it has acted contrary to or outside the legitimate instructions of the controller.

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Data subjects’ rights provided under Articles 15 to 22 of the GDPR may be enforced by both the supervisory authority and the national courts.

On the other hand, the right to compensation for damages suffered as a result of the processing may be enforced only by bringing proceedings before the competent national court.

Exemptions, derogations and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

No.

Supervision

Can PII owners appeal against orders of the supervisory authority to the courts?

Yes. Both controllers and processors may appeal before the national courts a decision issued against them by the supervisory authority.

Specific data processing

Describe any rules on the use of ‘cookies’ or equivalent technology.

Article 122 of the Personal Data Protection Code (implementing the EU e-Privacy Directive 2002/58/EC) prescribes that the use of cookies or similar technologies which involve the storing of and accessing information that is already stored on a user’s (either a natural or legal person) device are permitted, provided that the user has given their prior informed consent.

So-called ‘technical cookies’ are exempt from this requirement. Technical cookies are used only to transmit a communication over an electronic communications network or in order for a service provider to deliver a service that has been explicitly requested by the user. Technical cookies may be used without the user’s consent, provided that the user is informed thereof.

The Italian Data Protection Authority has issued a general provision setting out a simplified procedure for obtaining consent for the use of cookies. The provision stipulates that a banner must be displayed on the screen when a user accesses any page of a website, in order to inform users that if they access any other section or select an item of the website, this signifies their consent to the use of cookies. The provision further stipulates that cookies used to measure traffic on a website are subject to the same rules governing technical cookies, provided that appropriate measures to reduce their power to identify a natural person are adopted and an agreement is in place with the cookie provider which prohibits the former from further processing the information gathered by the cookie.

A revision of current rules governing the use of cookies is under discussion at the EU level and is expected to come into force in the coming months.

Describe any rules on marketing by email, fax or telephone.

As a rule, Paragraphs 1 and 2 of Article 130 of the Personal Data Protection Code (implementing the EU e-Privacy Directive 2002/58/EC) prescribe that marketing communications carried out by means of email, fax, telephone and similar media require prior consent from the user (either a natural or legal person).

However, Paragraph 4 of Article 130 sets forth an exception to this rule: where the controller has processed the data subject’s email address in the context of the sale of a product or service, the controller may send marketing communications to that email address, insofar as the data subject has been duly informed and has not objected to this processing.

With specific regard to telephone marketing activities, Paragraph 3bis of Article 130 provides that data controllers may lawfully contact all the users that have not objected to receiving marketing communications by telephone, by enrolling in the Register of Oppositions. As regards the functioning of the register, Law 5/2018 provides that any user who enrols in the register withdraws any previously given consent to marketing by means of telephone, so that they may not be lawfully contacted for marketing purposes carried out through such means by any data controller. Moreover, Article 1(12) of the law provides that a controller wishing to carry out marketing activities by telephone has a duty to consult the register at least monthly and, in any case, before the start of marketing campaigns.

Describe any rules or regulator guidance on the use of cloud computing services.

Normal rules set forth by the GDPR and the Personal Data Protection Code apply, as there are no data protection rules specific to cloud computing.

However, rules governing the relationship between data controllers and processors are of particular relevance in this field, considering that the cloud customer typically qualifies as data controller while the cloud provider qualifies as data processor. As a result, pursuant to Article 28(1) of the GDPR, the cloud customer must carry out and document the performance of a due diligence on the cloud provider (eg, by submitting and evaluating specific questionnaires), aimed at ascertaining whether the latter can provide a data protection law-compliant solution. In this context, assurances related to the implementation of adequate security measures assume particular importance.

Moreover, the cloud customer and provider must enter into a data processing agreement under Article 28(3) of the GDPR.

At the EU level, supervisory authorities adopted Opinion 05/2012 on Cloud Computing, which stresses the cloud client’s responsibilities as a controller and recommends that the latter exercises special care and diligence in selecting a provider that guarantees compliance with data protection law, also with regard to the use of sub-providers. The opinion highlights the role that contractual safeguards play in this respect. A specific area of concern in this field is the lawfulness of any cross-border international data transfers outside the EEA, which the cloud customer must map and regulate in accordance with the law.

The Italian Data Protection Authority also issued guidelines in 2012, highlighting the risks involved in implementing cloud solutions (eg, security issues and loss of control over data), and recommending that the cloud client maps the relevant risks before choosing both a suitable cloud solution and which categories of personal data to entrust to the cloud.

Update and trends

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

A recent hotly debated topic in Italy is the legitimacy of data platforms, which leverage the right to data portability of their users in order to allow them to monetise their personal data. These platforms exercise multiple data portability requests against companies (especially large retailers) on behalf of their users, with the aim of creating ‘personal data vaults’ which, at the choice of the users, may be sold on the data market. Under EU and Italian data protection law, it is disputable whether the right to data portability may be used with the explicit aim of monetising personal data, considering the strong fundamental-rights dimension of the law, as opposed to more consumer-centric models of, for example, US data privacy law. On 1 August 2019 the Italian Data Protection Authority referred the matter to the European Data Protection Board, with the aim of establishing a common position at EU level. In the meantime, data controllers are free to determine whether or not to satisfy portability requests exercised by such platforms, as long as they motivate and document their position in accordance with the accountability principle.

The Italian Data Protection Authority recently took part in a joint effort with the antitrust and telecommunication authorities concerning the regulation of Big Data. The resulting document, jointly issued by the three entities on 2 July 2019, sets forth relevant guidelines and policy recommendations for the government. Most interestingly, it establishes a permanent coordination mechanism between the three relevant authorities and calls for the adoption of a common standard for data portability between different platforms.

Greater scrutiny and enforcement actions in this field are to be expected in the near future.

Law stated date

Give the date on which the information above is accurate.

9 August 2019.