Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Italian data protection laws are ahead of the international curve. The Data Protection Code (Legislative Decree 196/2003) implemented EU Directives 95/46/EC and 2002/58/EC in a detailed and prescriptive way. This, together with related provisions issued by the Data Protection Authority, has put Italy at the forefront of EU data protection.

Italy has one of the soundest legal frameworks in the European Union with regard to balancing data subjects’ rights and businesses’ interests. The Data Protection Authority often interprets the data protection rules in ways that simplify their application for data controllers, while maintaining an intense focus on protecting individuals by rigorously enforcing the rules (e.g., the 2013 guidelines on simplified procedures to carry out multi-platform marketing activities and the new rules regarding employers’ rights to monitor employees). There is now a longstanding tradition in legal practice and interpretation that puts Italian data protection rules ahead of the international curve.

Are any changes to existing data protection legislation proposed or expected in the near future?

A new set of rules approved at the EU level was published in the Official Journal of the European Union on May 4 2016. These rules stem from the General Data Protection Regulation, the Directive on Data Processing by Competent Authorities for Law Enforcement Purposes and the Directive on Passenger Name Records. The General Data Protection Regulation, which will enter into force on May 25, 2018 for all EU member states, including Italy, will substantially amend the existing rules. 

There is a new procedure allowing employers to monitor employees through electronic devices used by employees to carry out their work (Article 4 of the Workers’ Statute (Law 300/1970).

The Data Protection Authority has published an overview of new obligations set out in the General Data Protection Regulation and is organising public meetings with undertakings and public authorities to improve awareness among stakeholders. In addition, the Senate has approved a bill allowing the executive to implement the General Data Protection Regulation into national law

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The Data Protection Code (Decree 196/2003), and specific and general provisions issued by the Data Protection Authority, govern the collection, storage and use of personal data.

Scope and jurisdiction

Who falls within the scope of the legislation?

The following entities fall within the scope of the legislation:

  • entities established in the state’s territory or in a place under the state’s sovereignty which process personal data, including data held abroad; and
  • entities established in a non-EU country that use equipment in connection with processing data (whether electronic or otherwise) in the non-EU country, unless this equipment is used only for purposes of transit through the European Union. 

The General Data Protection Regulation will broaden the territorial scope of data protection legislation in Europe in order to encompass entities established outside the European Union, where processing activities relate to:

  • the offering of goods or services to data subjects in the European Union, irrespective of whether data subjects pay for the goods or services; or
  • the monitoring of data subjects’ behaviour within the European Union.

What kind of data falls within the scope of the legislation?

Personal data falls within the scope of the legislation. ‘Personal data’ is defined as any information relating to natural persons that is or can be identified, even indirectly, by reference to any other information, including:

  • personal identification numbers;
  • identification data – personal data allowing a data subject to be identified directly; and
  • sensitive data – personal data allowing the disclosure of information relating to:
    • racial or ethnic origin;
    • religious persuasions;
    • philosophical or other beliefs;
    • political opinions;
    • political party membership;
    • trade union membership;
    • membership in associations or religious organisations;
    • philosophical, political or trade unionist character;
    • health and sex life; and
  • judicial data – personal data concerning criminal records or the status of being either a defendant in or the subject of an investigation.

The General Data Protection Regulation improves these definitions and provides as follows:

  • Personal data – any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Special categories of personal data (previously sensitive data), meaning data revealing:
    • racial or ethnic origin;
    • political opinions, religious or philosophical beliefs;
    • trade union membership;
    • genetic data;
    • biometric data;
    • health status; and
    • natural person's sex life or sexual orientation.
  • Data relating to criminal convictions and offences or related security measures.

Are data owners required to register with the relevant authority before processing data?

In Italy, data owners need not register with the relevant authority before processing data, but at least three different obligations are required for data controllers in certain cases provided for by law, and these must be carried out before starting relevant data processing activities.

First, data controllers must notify the data subject of the processing of personal data if it concerns:

  • genetic and biometric data;
  • data that has been processed to analyse or profile individuals; or
  • credit-related information (pursuant to Section 37 of the Personal Data Protection Code).

Second, personal data that entails specific risks to data subjects’ fundamental rights must undergo a prior check by the Data Protection Authority (pursuant to Section 17 of the Personal Data Protection Code).

Third, special categories of data (eg, health data) must be processed in accordance with an authorisation from the Data Protection Authority. Authorisation is usually provided in a general fashion by the authority, but processing operations not included in the general authorisation must receive specific prior authorisation (pursuant to Section 26 of the Personal Data Protection Code).

As of May 25 2018, the General Data Protection Regulation will abolish the notification requirement and replaces it with an obligation to maintain internal records of data processing activities. Therefore, in place of notifications, controllers and processors must maintain, and make available to data subjects and supervisory authorities on request, internal records that cover all of their data processing activities.

Is information regarding registered data owners publicly available?

Yes, but only in the following case: the Data Protection Authority enters notifications submitted pursuant to Section 37 of the Personal Data Protection Code into a publicly available register of processing operations, accessible via the Data Protection Authority’s website.

The General Data Protection Regulation will abolish this register, instead imposing on data controllers the obligation to carry out data protection impact assessments when so required by Article 35 as interpreted by the Article 29 Working Party’s Guidelines on Data Protection Impact Assessment and to determine whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.

Is there a requirement to appoint a data protection officer?

There is no legislative requirement to appoint a data protection officer. However, in its general provision on the electronic health record, the Data Protection Authority strongly recommended the appointment of a data protection officer. Under the General Data Protection Regulation, public and private sector companies where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large-scale or the large-scale processing of special categories of data and personal data relating to criminal convictions and offences must appoint a data protection officer as defined in Article 37 of the General Data Protection Regulation and interpreted by the Article 29 Working Party’s Guidelines on Data Protection Officers.

Enforcement             

Which body is responsible for enforcing data protection legislation and what are its powers?

The Data Protection Authority primarily enforces data protection legislation. It has inspection powers, corrective powers (including the capacity to issue administrative penalties) and advisory powers. When investigating organisations, the Data Protection Authority can request information and documents, although these requests are not legally binding. However, if the organisation refuses to cooperate or allow access to its systems, the Data Protection Authority can apply for a judicial order to carry out an investigation. When carrying out formal inspections, the Data Protection Authority can demand copies of manual records and databases, which may be passed onto the judicial authorities. A report of the outcome is then published.

The data protection rules may also be enforced by judicial authorities.

As of May 25 2018, the supervisory authorities of all member states (including the Italian Data Protection Authority) have the same tasks and powers as set forth in Articles 55 and following of the General Data Protection Regulation. Moreover, they will be able to cooperate with the supervisory authorities of other member states (eg, lead authorities) on transnational matters. In this regard, the Article 29 Working Party has provided Guidelines on The Lead Supervisory Authority.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data must be:

  • processed lawfully and fairly;
  • collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is consistent with said purposes;
  • accurate and kept up to date;
  • relevant, complete and not excessive in relation to the purposes for which it is collected or subsequently processed; and
  • kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data is collected or subsequently processed.

Any personal data that is processed in breach of the above principles will be deemed to have infringed the law. 

Moreover, in order to process personal data lawfully, data controllers must rely on a valid legal ground, such as:

  • the data subject’s consent;
  • the necessity to comply with a legal obligation; or
  • where the data processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party or otherwise in order to comply with specific requests made by the data subject before entering into a contract.

As of May 25 2018, the legal grounds to process personal data according to the General Data Protection Regulation are as follows:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be stored in a way that allows identification of the data subject for a period no longer than is necessary in relation to the scope within which the data has been collected and processed (see Section 11 of the Personal Data Protection Code). In some cases, the law itself establishes a specific retention period – for example, providers of electronic communication services (e.g. telecoms service providers, Voice over Internet Protocol providers and email service providers):

  • can process traffic data that is strictly necessary in relation to contracting parties’ billing and connection payments for up to six months;
  • must retain telephone traffic data for 24 months from the date of communication for the purpose of detecting and suppressing criminal offences; and
  • for the same purpose, must retain electronic communication traffic data, but not the content of communications, for 12 months from the date of the communication.

The Chamber of Deputies recently approved an amendment, which is now awaiting confirmation by the Senate, to the draft Law implementing EU Directives (the ‘European Law 2017’). The amendment extends the data retention period for the purpose of detecting and suppressing certain serious criminal offences (eg, terrorist activities and activities performed by stable criminal organisations) to 72 months.

Under the General Data Protection Regulation, data controllers will have to disclose the period for which personal data will be stored or, if that is not possible, the criteria used to determine that period.

Do individuals have a right to access personal information about them that is held by an organisation?

Data subjects have the right to confirm whether personal data concerning them exists, regardless of whether it has already been recorded. Data subjects also have the right to request the communication of such data in an intelligible form.

Further, data subjects have the right to be informed of:

  • the source of the personal data;
  • the purposes and methods of processing;
  • the logic applied to processing, if it is carried out by electronic means;
  • the identity and details of the data controller, data processors and the designated representative; and
  • the entities or categories of entity to which the personal data may be communicated and the parties that may be privy to the data in their capacity as:
    • designated representatives in the state’s territory;
    • data processors; or
    • managers of the processing.

As of May 15 2018, data subjects will have further rights such as:

  • the right to lodge a complaint with a supervisory authority;
  • the right to request from the data controller rectification or erasure of personal data or the restriction of processing concerning the data subject, or to object to processing; and
  • the right to data portability (see Articles 15 to 22 of the General Data Protection Regulation). 

Do individuals have a right to request deletion of their data?

Data subjects have the right to:

  • erase, anonymise or block data that has been processed unlawfully, including data which need not be retained for the purposes for which it has been collected or subsequently processed; and
  • obtain certification to the effect that the processing operation has been notified (as has the content of the data) to the entities to which the data was communicated or disseminated.

The General Data Protection Regulation has further elaborated on this right, by introducing the so-called ‘right to be forgotten’. According to the new rules, data subjects have the right to erase personal data concerning them from the data controller without undue delay and the data controller must comply with the request if, for example:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent and there is no other legal ground for the processing;
  • the data subject objects to the processing (i.e. profiling or direct marketing); or
  • the personal data has been unlawfully processed.

Moreover, where the data controller has made the personal data public and is obliged to erase it, the data controller, taking into account the available technology and cost of implementation, must take reasonable steps, including technical measures, to inform the data controllers that are processing the personal data that the data subject has requested the erasure of any links, copies or replications of the personal data (right to de-listing).

Consent obligations

Is consent required before processing personal data?

The processing of personal data by private entities or profit-seeking public bodies is usually based on the data subject’s express, informed, specific and freely given consent, unless one of the legal exceptions to this rule applies. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations involved in the processing.

As a rule, consent must be given in writing if the processing concerns sensitive data. Sensitive data may be processed only with the data subject’s written consent and the Data Protection Authority’s prior authorisation.

If consent is not provided, are there other circumstances in which data processing is permitted?

Consent need not be provided if, for example:

  • the processing is necessary to comply with an obligation imposed by law, regulations or EU legislation;
  • the processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or in order to comply with specific requests made by the data subject before entering into a contract;
  • the processing concerns data taken from public registers, lists, documents or records that are publicly available, without prejudice to the limitations and modalities laid down by laws, regulations or EU legislation with regard to their disclosure and publicity;
  • the processing concerns data relating to economic activities that are processed in compliance with the legislation in relation to business and industrial secrecy; and
  • the processing is necessary to safeguard life or bodily integrity of a third party or to ensure that that defence counsel can carry out investigations or defend a legal claim.

Further specific exceptions to the rule of consent are contained in the Personal Data Protection Code.

Under the General Data Protection Regulation, data controllers may process personal data even without prior consent if at least one of the following applies:

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

What information must be provided to individuals when personal data is collected?

The data subject must be preliminarily informed either orally or in writing of:

  • the purposes and modalities of the processing for which the data is intended;
  • the obligatory or voluntary nature of providing the requested data;
  • the consequences if he or she fails to reply;
  • the entities or categories of entities to which the data may be communicated or that may have access to the data in their capacity as data processors or persons in charge of processing;
  • the scope of dissemination of the data; and
  • information regarding the data controller and, where designated, the data controller’s representative in the state and the data processor.

The General Data Protection Regulation establishes in Articles 12, 13 and 14 the information to be provided to individuals depending on whether personal data are collected from the data subject or not.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Personal data undergoing processing must be kept and controlled (as far as possible, considering technological innovations, the nature of the data and the specific features of the processing), in such a way as to minimise the risk of:

  • its accidental or wilful destruction or loss;
  • unauthorised access to the data; or
  • processing operations that are either unlawful or inconsistent with the purposes for which the data has been collected.  

The latter measures can be specified by the Data Protection Authority via a general provision in relation to specific data processing, as done, for example, in relation to the processing of biometric data or for the processing of personal data by system administrators.

In any case, data controllers must adopt security measures in order to ensure a minimum level of personal data protection. Such measures are listed in Annex B (Technical Specifications Concerning Minimum Security Measures) to the Data Protection Code.

As of May 15 2018, Annex B will no longer be in force. Data controllers will be accountable for the security measures they have implemented within their own organisations. The General Data Protection Regulation set a minimum set of requirements in Article 32. In this regard, the Data Protection Authority stated it will provide best practise on which data controllers may rely on to perform their own assessment of security measures. 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

According to the Personal Data Protection Code, only providers of a publicly available electronic communications service (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers) must notify data subjects of a breach.

In case of a particular risk of a breach of network security, the provider of a publicly available electronic communications service must inform the contracting parties and (if possible) users of all the possible remedies, including an indication of the likely costs involved.

When a personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the provider must also notify the contracting party or individual of the breach without delay. The notification described above is not required if the provider has demonstrated to the Data Protection Authority that it has implemented technological protection measures that render the data unintelligible to any entity that is not authorised to access it, and that the measures were applied to the data related to the breach.

The same obligation applies to data breaches related to electronic health files.

The General Data Protection Regulation introduces a similar obligation to notify data breaches to every controller and processor, regardless of their qualification as a provider of a publicly available electronic communications service.

Are data owners/processors required to notify the regulator in the event of a breach?

In case of a personal data breach, the providers of publicly available electronic communications services must notify the breach to the Data Protection Authority and the Authority for Communications Safeguards without undue delay. The same obligation applies to data breaches related to electronic health files.

The General Data Protection Regulation extended to all data controllers the duty to notify the occurrence of a data breach to the relevant supervisory authority no later than 72 hours after having become aware of it.

Electronic marketing and internet use

Electronic marketing                                                                                                                

Are there rules specifically governing unsolicited electronic marketing (spam)?

There is a comprehensive set of rules governing direct marketing, resulting from the combined application of both the Personal Data Protection Code and the Data Protection Authority’s Guidelines on Marketing and Against Spam of July 4 2013.

As a rule, data controllers may contact users for direct marketing purposes with the prior consent of the user. This rule applies to communications performed by means of automated calling or communications systems without human intervention or by email, fax or text message. Consent needs to be given only once to enable marketing activities using different means of communication, provided that the data subject can opt out at any time from one or more of the means of communication used by the data controller.

Further, when the personal data is drawn from publicly available papers or electronic directories, data controllers may contact users only by telephone or mail, provided that users have not exercised their right to object (opt-out mechanism).

Finally, where a data controller uses, for direct marketing of its own products or services, electronic contact details for emails supplied by a data subject in the context of the sale of a product or service, it need not request the data subject’s consent, provided that the services are similar to those that were the subject of the sale and the data subject, after being adequately informed, does not object to the use either initially or in connection with subsequent communications.

As of May 25 2018, where personal data is processed for direct marketing purposes the data subject must have the right to object at any time to processing of his or her personal data for such marketing, including profiling to the extent that it is related to direct marketing.

Cookies

Are there rules governing the use of cookies?

As a rule, the Personal Data Protection Code prescribes that the use of cookies, storing of information and accessing information that is already stored on a user’s device are permitted, provided that the user has given his or her prior informed consent.

So-called ‘technical cookies’ are exempt from this requirement. Technical cookies are used only to transmit a communication over an electronic communications network or in order for a service provider to deliver a service that has been explicitly requested by the subscriber or user. Under the Data Protection Code, technical cookies may be used without the user’s consent, provided that the user is informed as required.

The Data Protection Authority has issued a general provision setting out a simplified procedure for obtaining consent for the use of cookies. The provision stipulates that a suitably sized banner must be displayed on the screen immediately when a user accesses the home page or any other page on the website, and that if the user continues browsing the website by accessing any other section or selecting any item (eg, clicking a picture or link), this signifies his or her consent to the use of cookies.

A revision of the current rules governing the use of cookies is under discussion at EU level. The new EU ePrivacy Regulation to replace the existing ePrivacy Directive (Directive 2002/58/EC as amended in 2009) is expected to come into force next year.  

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Personal data flows freely within the European Union and countries that ensure an adequate level of safeguards according to the European Commission.

The transfer of processed personal data to a non-EU member state is permitted if it is authorised by the Data Protection Authority on the basis that the non-EU country has adequate safeguards for data subjects’ rights, or that adequate rules of conduct are in force within the framework of companies and they belong to the same group.

Other legal grounds for the transfer of personal data are provided for in the EU Model Clauses, the Binding Corporate Rules and the EU-US Privacy Shield for transfers to the United States.

Articles 44 to 49 of the General Data Protection Regulation confirm the previous legal ground for transferring data and add approved codes of conduct and certification mechanisms as new mechanisms for transferring personal data.

Are there restrictions on the geographic transfer of data?

The transfer of processed personal data to a non-EU member state is permitted if it is authorised by the Data Protection Authority on the basis that the non-EU country has adequate safeguards for data subjects’ rights, or that adequate rules of conduct are in force within the framework of companies and they belong to the same group.

Other legal grounds for the transfer of personal data are provided for in the EU Model Clauses, the Binding Corporate Rules and the EU-US Privacy Shield for transfers to the United States.

Articles 44 to 49 of the General Data Protection Regulation confirm the previous legal ground for transferring data and add approved codes of conduct and certification mechanisms as new mechanisms for transferring personal data.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Data subjects must be informed beforehand of the possible communication of their personal data to a third party or a category of third parties. The actual communication of data must rely on a valid legal ground. For example, in order to communicate data to a third party for its own direct marketing purposes, the data controller must seek specific consent beforehand. In other cases, the communication may be authorised, if not mandated, by law. A specific form of disclosure – which does not technically amount to a 'communication' in the reading of the law – is that between a data controller and a data processor, where the latter acts under the control and instructions of the former.

The General Data Protection Regulation does not change the statement above.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

Non-compliance with the data protection rules could lead to administrative penalties in the form of fines, injunctions and criminal charges. It is worth underling that, pursuant to Section 143 of the Data Protection Code, the Data Protection Authority will block or prohibit processing, in whole or in part, if:

  • it is found to be unlawful or unfair and this is partly due to the data controller’s failure to take the necessary measures to align the processing to applicable law; or
  • there is an actual risk that it may be considerably prejudicial to one or more of the data subjects with regard to:
    • the nature of the data;
    • the arrangements that apply to the processing; or
    • the effects that may be produced by the processing.

In case of failure to comply with the security provisions or where activities are conducted with the intent to cause harm – for example, in the event of unlawful data processing or false declarations or notifications submitted to the Data Protection Authority – criminal penalties may be imposed by the court.

With the applicability of the General Data Protection Regulation, sanctions for data controllers are increased up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes – individuals are entitled to compensation for loss suffered as a result of a data breach or non-compliance with the data protection rules by the data owner. As a rule, whoever causes damage will be liable to pay damages. This liability stems from the exercise of dangerous activities, as provided for under Section 2050 of the Civil Code.

The General Data Protection Regulation also recognises data subjects’ right to seek compensation if a controller or processor infringes the regulation, causing material or non-material damage.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Parliament has asked the government to implement EU Directive 2013/40/EC on attacks against information systems, which approximates member states’ criminal law regarding illegal access to information systems, illegal system interference, illegal data interference, illegal interception, incitement, aiding and abetting and attempting to commit one of the aforementioned offences.

The EU Directive on security of network and information systems (2016/1148/EC) will be implemented shortly in Italy. Further measures to be implemented regarding cybersecurity are those provided by the EU Directive on payment services in the internal market (2015/2366/EC).

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

In particular, Article 4bis of Decree-Law 7/2015, converted into Law 43/2015 and subsequently amended by Article 4quater(1)(b) of Decree-Law 30, 210/2015, no 210, converted into Law 21/2016, prescribed that telephone and internet traffic data (except for the content of communications) that is  held by telecoms service operators, along with telephone data and internet traffic data occurring thereafter, must be retained until June 30 2017 for the purposes of detection and suppression of serious criminal offences related to terrorist activities. From July 1 2017, the conventional data retention period is established (ie, telephone traffic data shall be retained by the provider for 24 months and electronic communications traffic data, except for the contents of communications, shall be retained by the provider for 12 months).

However, please note that such retentions period may be further extended since the Chamber of Deputies has recently approved an amendment, awaiting confirmation by the Senate, that extends the data retention period for purpose of detecting and suppressing certain serious criminal offences (e.g. terrorist activities and activities performed by stable criminal organisations) to 72 months. Although EU Directive 2006/24/EC on the retention of data generated or processed by publicly available electronic communications services and public communications networks was abolished by the European Court of Justice in 2014, the relevant national implementing provisions are still in force.

Which cyber activities are criminalised in your jurisdiction?

The Criminal Code punishes activities such as:

  • computer fraud;
  • damages caused to computer or telematic systems;
  • dissemination of computer programs intended to damage or disrupt an IT system;
  • unauthorised access to a computer or telecoms system;
  • interception;
  • prevention or interruption of computer or electronic communications;
  • installation of equipment designed to intercept data;
  • prevention or interruption of computer or electronic communications; and
  • falsification, alteration or suppression of the content of computer or electronic communications.

Which authorities are responsible for enforcing cybersecurity rules?

The minister for home affairs and the heads of the central offices specialised in computer and IT matters – from the state police, the Carabinieri and the financial police to criminal prosecutors and the courts – are the responsible authorities.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Although no legislative framework governs rules and procedures for obtaining insurance against cybercrime, some insurers have started offering policies to companies and the trend is rapidly increasing.

Are companies required to keep records of cybercrime threats, attacks and breaches?

Providers must keep an updated inventory of personal data breaches, including the circumstances of the breach, its consequences and the measures adopted to remedy the breach.

The same obligation is confirmed in Article 33 of the General Data Protection Regulation. The Data Protection Authority has stated it will provide templates and guidelines to comply with such obligation.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

According to the Personal Data Protection Code, providers of publicly available electronic communications services must notify breaches of personal data to the supervisory authorities and the individuals affected under the conditions set out therein.

The General Data Protection Regulation introduces a similar obligation to notify data breaches to the Data Protection Authority for every data controller and processor, regardless of their qualification as a provider of publicly available electronic communications services.

Moreover, in two General Application Orders (General Application Order Concerning Biometrics - November 12 2014 and General Application Order Concerning Electronic Health Files - June 4 2015) the Data Protection Authority set out an obligation for data controllers to report breaches concerning, respectively, biometric data, which will take place within 24 hours of becoming aware of the event; and data contained in Electronic Health Files, which will take place within 48 hours from becoming aware of the event).

Finally, the EU Directive on security of network and information systems (2016/1148/EC) introduces for operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services) a new incident notification regime which requires such operators and providers, respectively, without undue delay, to report incidents having a significant impact on the continuity of the essential services they provide without undue delay, and to notify incidents that have a substantial impact on the provision of a service they offer in the European Union.

A similar obligation is provided in the EU Directive on payment services in the internal market (2015/2366/EC).

Are companies required to report cybercrime threats, attacks and breaches publicly?

According to the Personal Data Protection Code, when a personal data breach is likely to be detrimental to the individuals who are parties to a contract of publicly available electronic communications services, providers must notify the breach to them without undue delay, unless the providers have demonstrated to the Data Protection Authority that they have implemented technological protection measures that render the data unintelligible to any entity that is not authorised to access it, and that the said measures were applied to the data concerned by the breach.

The General Data Protection Regulation introduces a similar obligation for data controllers, regardless of its qualification as a provider of publicly available electronic communications services, to: notify a personal data breach to the supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals; to communicate a personal data breach to the data subjects, if it is likely to result in a risk to the rights and freedoms of individuals.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

According to the Criminal Code, offences related to the security of networks, as well as to computer or telematic systems, are punishable by fines of up to €10,329 and imprisonment for up to eight years.

What penalties may be imposed for failure to comply with cybersecurity regulations?

The Personal Data Protection Code prescribes that failure to adopt the minimum security measures may be punished by imprisonment for up to two years. Any violation of the provisions regarding the retention of traffic data is punished by an administrative fine ranging from €10,000 to €50,000.

Failure to comply with the obligation to report data breaches to the supervisory authority may trigger an administrative penalty ranging from €25,000 to €150,000.

Failure to comply with the obligation to report data breaches to affected individuals may trigger an administrative penalty ranging from €150 to €1,000 per contracting party or individual.