Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Italian data protection laws are ahead of the international curve. As an EU member state, Italy has one of the strongest legal frameworks in the world with regard to balancing data subjects’ rights and businesses’ interests, as the EU General Data Protection Regulation (GDPR) (2016/679) – which is generally classified as one of the most advanced data protection compliance standards – has become directly applicable as of 25 May 2018.

Even before the GDPR applied, Italy had longstanding tradition in both legal practice and judicial interpretation, placing Italian data protection rules ahead of international legislation. In particular, the Personal Data Protection Code (Legislative Decree 196/2003) – which implemented the EU Data Protection Directive (95/46/EC) and the EU Directive on Privacy and Electronic Communications (2002/58/EC) – and the related Data Protection Authority’s decisions, recommendations and guidelines are still in force. The Data Protection Authority has often interpreted the rules and principles stemming from the Data Protection Code in ways that simplified their application for data controllers, while maintaining an intense focus on protecting individuals by rigorously enforcing the rules (eg, the 2013 guidelines on simplified procedures for carrying out multi-channel marketing activities and the rules regarding employers’ rights to monitor their employees’ performance).

Are any changes to existing data protection legislation proposed or expected in the near future?

With the approval of Law 163/2017, Parliament mandated the government to elaborate and enact a legislative decree aimed at amending existing data protection legislation (mainly contained in Legislative Decree 196/2003) in order to adjust the domestic legal framework to reflect the GDPR and EU Directive 2016/680/EC on the processing of personal data in the police sector.

The draft decree is currently being discussed by Parliament. The Data Protection Authority recently issued its required opinion on the draft, asking for some changes to be made before definitive approval is granted.

The new rules are expected to come into force in the next few weeks, as the mandate for the government contained in Law 163/2017 expires on 21 August 2018.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The EU General Data Protection Regulation (GDPR) (2016/679) and the Data Protection Code (Legislative Decree 196/2003), together with specific and general decisions issued by the Data Protection Authority (eg, on traffic or health data), govern the collection, storage and use of personal data.

Scope and jurisdiction

Who falls within the scope of the legislation?

The following entities fall within the scope of the legislation:

  • entities established in Italy or under the state’s sovereignty which process personal data, including data held abroad; and
  • entities established in a non-EU country that use equipment in connection with processing data (whether electronic or otherwise) in that country, unless this equipment is used only for purposes of transit through the European Union. 

The GDPR will broaden the territorial scope of data protection legislation in Europe to encompass entities established outside the European Union that carry out processing activities concerning the offering of goods or services to data subjects in the European Union, irrespective of whether:

  • the data subjects pay for the goods or services; or
  • the monitoring of data subjects’ behaviour takes place in the European Union.

What kind of data falls within the scope of the legislation?

‘Personal data’ falls within the scope of the legislation and is defined as any information relating to an identified or identifiable natural person (ie, data subject). An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • a name;
  • an identification number;
  • location data;
  • an online identifier;
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; or
  • data relating to criminal convictions and offences or related security measures.

Special categories of personal data (previously sensitive data) include data that reveals details of a person’s:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data;
  • health status; or
  • sex life or sexual orientation.

The processing of traffic-related data (eg, when, how and for how long it will be processed) is still subject to national law.

Are data owners required to register with the relevant authority before processing data?

Although the Data Protection Code still contains provisions requiring data controllers to register some types of data processing, as of 25 May 2018, the GDPR has implicitly abolished the notification requirements set out by the code and replaced them with an obligation to maintain internal records of data processing activities. Therefore, in place of notifications, controllers and processors must maintain, and make available to data subjects and supervisory authorities on request, internal records that cover all of their data processing activities.

Paragraphs 1022 and 1023 of Law 205/2017 have introduced a specific registration requirement for data processing which:

  • is based on Article 6(1)(f) of the GDPR; or
  • involves the use of new technologies or automated means.

In the second instance, data controllers must promptly notify the supervisory authority before performing such data processing. If the authority does not notify its decision to the data controller, the processing may be lawfully performed. Otherwise, the authority may extend the period for a further 30 days in order to carry out an assessment of the likelihood that the processing may interfere with the data subject’s fundamental rights. The authority may then prohibit the processing.

This mechanism will likely be repealed by the new legislative decree aimed at implementing the GDPR.

Is information regarding registered data owners publicly available?

The GDPR has abolished any obligation in this respect.

However, the Data Protection Authority has created a register where, pursuant to Article 37(7) of the GDPR, appointed data protection officers must be registered.

Is there a requirement to appoint a data protection officer?

Under the GDPR, public and private sector companies whose controller or processor’s core activities consist of processing operations which require the regular and systematic monitoring of data subjects on a large scale or the large-scale processing of special categories of data and personal data relating to criminal convictions and offences, must appoint a ‘data protection officer’ as defined in Article 37 of the GDPR and interpreted by the Article 29 Working Party’s Guidelines on Data Protection Officers.

According to Paragraph 2 of the guidelines, unless it is obvious that an organisation is not required to designate a data protection officer, under the accountability principle, data controllers and processors should document and update the internal analysis carried out to determine whether a data protection officer must be appointed.

Finally, the Data Protection Authority has further clarified that a data protection officer’s expertise and professional qualities, as mandated by Article 37(5) of the GDPR, must be effective. While certifications may only provide an indication that the person holds an adequate level of expertise and knowledge, they can fulfil the Article 37(5) requirements.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The Data Protection Authority (the so-called Garante) is primarily in charge of enforcing data protection legislation. It has investigative, corrective (including the capacity to issue administrative penalties), authorisation and advisory powers. When investigating organisations, it can request information and documents. When carrying out formal inspections, the authority can demand copies of manual records and databases, which may be passed onto the judicial authorities. A report of the outcome is then published. The data protection rules may also be enforced by the judicial authorities.

Further, the Data Protection Authority  sometimes cooperates with other independent authorities (eg, the telecommunications authority (AGCom) and the trade and market authority (AGCM) in order to investigate specific fields which have common grounds in each authority jurisdiction, such as big data.

Pursuant to the GDPR, the supervisory authorities of all member states (including the Data Protection Authority) have the same tasks and powers set out in Articles 55. Moreover, supervisory authorities (eg, lead authorities) from different EU member states can cooperate on transnational matters. In this regard, the Article 29 Working Party has provided Guidelines on the Lead Supervisory Authority.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data must be:

  • processed lawfully, fairly and in a transparent manner. The transparency principle mandates that the data subject be informed prior to the processing by way of a privacy notice containing the elements required under Articles 12 to 14 of the EU General Data Protection Regulation (GDPR) (2016/679);
  • collected and recorded for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and, where necessary, up to date;
  • kept in a form which permits the identification of the data subject for no longer than is necessary for the purposes for which the data is processed; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

Any personal data that is processed in violation of the above principles will be deemed to have infringed the law. Further, in order to process personal data lawfully, data controllers must rely on one or more of the following legal bases:

  • The data subject has consented to the processing of their personal data for one or more specific purposes.
  • The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract.
  • The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • The processing is necessary to protect the vital interests of the data subject or another natural person.
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The processing is necessary to fulfil the legitimate interests of the controller or a third party, except where such interests are overridden by interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be stored in a way that allows identification of the data subject for no longer than is necessary in relation to the scope within which the data has been processed (Article 5(1)(e) of the GDPR). In some cases, national law may establish a specific retention period – for example, providers of electronic communication services (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers):

  • can process traffic data that is strictly necessary in relation to contracting parties’ billing and connection payments for up to six months; and
  • must retain telephone and electronic communication traffic data, but not the content of such communications, for 72 months from the date of the communication for the purpose of detecting and suppressing criminal offences.

Other sectorial laws may set specific data retention requirements (eg, anti-bribery, anti-money laundering and tax law).

Under the GDPR, data controllers must disclose the period for which personal data will be stored or, if that is not possible, the criteria used to determine that period.

Do individuals have a right to access personal information about them that is held by an organisation?

Data subjects have the right to confirm whether personal data concerning them exists, regardless of whether it has already been recorded. Data subjects also have the right to request the communication of such data in an intelligible form.

Further, data subjects have the right to be informed of:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data has been or will be disclosed – in particular, recipients in third countries or from international organisations;
  • where possible, the envisaged period for which the personal data will be stored or, if impossible, the criteria used to determine that period;
  • their right to request the controller to rectify or erase their personal data or restrict its processing and object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • any available information as to the personal data’s source where it was not collected from the data subject;
  • the existence of automated decision making, including profiling, which produces legal effects concerning or significantly affecting the data subject so that they can obtain meaningful information about the logic involved and the significance and envisaged consequences of such processing.

Under Articles 15 to 22 of the GDPR, data subjects have further rights, including:

  • the right to lodge a complaint with a supervisory authority;
  • the right to request the data controller to rectify or erase personal data or restrict the processing of data concerning the data subject and to object to such processing;
  • the right not to be subject to a decision based solely on automated processing which produces legal effects concerning or significantly affecting the data subject; and
  • the right to data portability.

Do individuals have a right to request deletion of their data?

Pursuant to Article 17 of the GDPR, data subjects have the right to request that a data controller erases personal data that concerns them without undue delay. The data controller must comply with the request if:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent and there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to direct marketing and profiling (to the extent that profiling is related to such direct marketing);
  • the personal data has been unlawfully processed;
  • the personal data must be erased to comply with an EU or EU member state law to which the controller is subject; or
  • the personal data has been collected in relation to an offer of information society services.

Moreover, where the data controller has made the personal data public and is obliged to erase it, the data controller, taking into account the available technology and cost of implementation, must take reasonable steps, including technical measures, to inform the data controllers that are processing the personal data that the data subject has requested the erasure of any links, copies or replications of the personal data (right to de-listing).

Consent obligations

Is consent required before processing personal data?

The processing of personal data may be based on a data subject’s consent or on one or more of the other legal bases in Article 6 of the GDPR. In order to be valid, consent must be freely given (pursuant to Article 7(4), it must be considered whether the performance of a contract is conditional on consent to process personal data that is unnecessary for the performance of that contract). Consent must be:

  • specific (ie, related to a clearly defined and specific processing operation), informed and constitute an unambiguous indication of the data subject's wishes, thereby excluding the validity of implied consent; and
  • given in the form of a statement or clear affirmative action which signifies agreement to the processing of personal data.

Further, the controller must be able to demonstrate that the data subject has consented to such processing.

For the processing of special categories of personal data (eg, health data or data that may reveal the data subject’s racial or ethnic origin), consent must also be explicit. Special categories of personal data may also be processed when at least one of the legal bases laid down in Article 10 of the GDPR (sometimes, a legal basis of both Articles 6 and 10 must be satisfied, as clarified by the Article 29 Working Party guidelines on the notion of the legitimate interests of the data controller under Article 7 of EU Data Protection Directive (95/46/EC).

If consent is not provided, are there other circumstances in which data processing is permitted?

Aside from consent, personal data may be lawfully processed where at least one of the following grounds apply:

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by interests or fundamental rights and freedoms of the data subject which require protection of personal data – in particular, where the data subject is a child.

What information must be provided to individuals when personal data is collected?

Pursuant to Article 13 of the GDPR, where personal data is collected from the data subject, they must be preliminarily informed either orally or in writing of:

  • the identity and contact details of the data controller and, where applicable, its representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes and legal basis of the processing for which the personal data is intended;
  • whether the processing is based on the legitimate interest ground and the legitimate interests pursued by the controller or a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • whether the controller intends to transfer personal data to a third country or international organisation, along with further information regarding the lawfulness of the transfer;
  • the period for which the personal data will be stored or, if that is impossible, the criteria used to determine that period;
  • the existence of the right to:
    • request from the controller access to and rectification or erasure of personal data or the restriction of processing concerning the data subject;
    • object to processing; and
    • the right to data portability;
  • the existence of the right to withdraw consent at any time where the processing is based on the data subject’s consent;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract;
  • whether the data subject must provide the personal data and the possible consequences of failure to provide such data;
  • the existence of automated decision making, including profiling, which produces legal effects or significantly affects the data subject; and
  • meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.

Pursuant to Article 14 of the GDPR, where personal data is not collected from the data subject, the data controller must provide the data subject with:

  • the information set out in Article 13, plus the categories of personal data concerned; and
  • the source from which the personal data originates and whether it came from a publicly accessible source.

In this instance, it is not mandatory to inform the data subject of:

  • whether the provision of personal data is a statutory or contractual requirement; or
  • the consequences of refusing to provide such data.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Data controllers are accountable for the security measures that they have implemented within their own organisations. The EU General Data Protection Regulation (GDPR) (2016/679) requires the implementation of appropriate technical and organisational security measures by taking into account:

  • the state of the art;
  • the implementation costs;
  • the nature, scope, context and purpose of processing; and
  • the likelihood and severity of the risk to the rights and freedoms of natural persons.

As specified in Article 32 of the GDPR, by way of example and where appropriate to the relevant risk, these measures may consist of:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.

In this regard, the Data Protection Authority stated that it will provide best practices on which data controllers may rely to perform their own assessment of security measures.

Further, in early 2018 the EU Network and Information Security Agency issued:

  • a handbook on the security of personal data processing, which provides guidance on the minimum technical standards to be provided by companies for personal data processing; and
  • technical guidelines for the implementation of minimum security measures for digital service providers, which aims to provide a common EU level approach regarding security measures to be implemented by digital service providers. 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

The GDPR has introduced an obligation that all controllers and processors must notify data breaches regardless of their qualification as a provider of a publicly available electronic communications service.

Under Article 34 of the GDPR, data controllers must communicate personal data breaches to the data subjects concerned without undue delay only when such breach is likely to result in a high risk to the rights and freedoms of natural persons. In this case, information provided to the data subjects must describe in clear language the nature of the personal data breach. The Article 29 Working Party provided guidance on how to assess the level of risk involved in a data breach in its guidelines on personal data breach notification under the GDPR. The document also offers guidance on the other obligations involved in the case of a data breach.

In its guidelines on the application of the GDPR, the Data Protection Authority has stated that the information to be provided to the authority in the case of a data breach is substantially similar to that required by Article 32bis(7) of the Data Protection Code for telecoms companies before the GDPR’s applicability.

Are data owners/processors required to notify the regulator in the event of a breach?

In case of a data breach, the data controller must notify the Data Protection Authority without undue delay and, where feasible, no later than 72 hours after having become aware of the breach.  Similarly, the data processor must notify the data controller without undue delay after becoming aware of a breach. Data controllers must provide to the Data Protection Authority with the information set out in Article 33(3) of the GDPR, including:

  • the nature of the personal data breach;
  • the categories and approximate number of data subjects concerned;
  • the likely consequences of the data breach; and
  • the measures taken or proposed to be taken by the controller to address and mitigate the effects of the breach.

The Data Protection Authority need not be informed of a breach where it is unlikely to pose a risk to the rights and freedoms of data subjects. The Article 29 Working Party has provided guidance on how to properly assess the level of risk involved in a data breach in its guidelines on personal data breach notification under the GDPR. The document also offers guidance on the other obligations involved in the case of a data breach.

The Data Protection Authority stated in its guidelines on the application of the GDPR that the information to be provided to the authority in case of a data breach is substantially similar to that required by Article 32bis(7) of the Data Protection Code for telecoms companies before the GDPR’s applicability.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

There is a comprehensive set of rules governing direct marketing, resulting from the combined application of the EU General Data Protection Regulation (GDPR) (2016/679), the Personal Data Protection Code (specifically, the parts transposing the EU Directive on Privacy and Electronic Communications (2002/58/EC)) and the Data Protection Authority’s Guidelines on Marketing and Against Spam of 4 July 2013.

As a rule, data controllers may contact users for direct marketing purposes with the user’s prior consent. This rule applies to communications performed by means of automated calling or communications systems without human intervention or by email, fax or text message. Consent – provided that it satisfies the validity requirements of Articles 4(11) and 7 of the GDPR – needs to be given only once to enable marketing activities using different means of communication, provided that the data subject can opt out at any time from one or more of the data controller’s means of communication.

Further, when the personal data is drawn from publicly available papers or electronic directories, data controllers may contact users only by telephone or mail, provided that users have not exercised their right to object (the opt-out mechanism by means of an online platform maintained by the Fondazione Borboni, which is the Italian version of the so-called ‘Robinson list’).

Finally, where a data controller uses, for direct marketing of its own products or services, electronic contact details for emails supplied by a data subject in the context of the sale of a product or service, it need not request the data subject’s consent, provided that the services are similar to those that were the subject of the sale and the data subject, after being adequately informed, does not object to the use either initially or in connection with subsequent communications (the so-called ‘soft spam’ exception).

Further, where personal data is processed for direct marketing purposes, the data subject must have the right to object at any time to processing of his or her personal data for such marketing, including profiling to the extent that it is related to direct marketing.

Cookies

Are there rules governing the use of cookies?

As a rule, the Personal Data Protection Code (specifically, the parts transposing the EU Directive on Privacy and Electronic Communications) permits the use of cookies, the storing of information and the accessing of information that is already stored on a user’s device, provided that the user has given their prior informed consent.

So-called ‘technical cookies’ are exempt from this requirement. Technical cookies are used only to transmit a communication over an electronic communications network or in order for a service provider to deliver a service that has been explicitly requested by the subscriber or user. Under the Data Protection Code, technical cookies may be used without the user’s consent, provided that the user is informed as required.

The Data Protection Authority has issued a general provision setting out a simplified procedure for obtaining consent for the use of cookies. The provision stipulates that a suitably sized banner must be displayed on the screen immediately when a user accesses the home page or any other page on the website, and that if the user continues browsing the website by accessing any other section or selecting any item (eg, clicking a picture or link), this signifies his or her consent to the use of cookies.

A revision of the current rules governing the use of cookies is under discussion at the EU level. The new EU e-Privacy Regulation to replace the existing e-Privacy Directive (the EU Directive on Privacy and Electronic Communications, as amended in 2009) is expected to come into force in 2019.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Personal data flows freely within the European Economic Area and countries that ensure an adequate level of safeguards according to the European Commission, pursuant to the criteria set out in Article 45 of the EU General Data Protection Regulation (GDPR) (2016/679).

Pursuant to Article 47 of the GDPR, the transfer of processed personal data to a non-EU member state is permitted if authorised by the competent data protection authority on the basis that adequate rules of conduct are in force within the framework of the companies and they belong to the same group (ie, binding corporate rules).

Other legal grounds for the transfer of personal data are provided for in:

  • the EU model clauses approved by the European Commission;
  • the EU-US Data Privacy Shield (for transfers to the United States);
  • legally binding and enforceable instruments between public authorities or bodies; and
  • approved codes of conduct and certification mechanisms.

Are there restrictions on the geographic transfer of data?

Personal data flows freely within the European Economic Area and countries that ensure an adequate level of safeguards according to the European Commission, pursuant to the criteria set out in Article 45 of the GDPR.

Pursuant to Article 47 of the GDPR, the transfer of processed personal data to a non-EU member state is permitted if it is authorised by the competent data protection authority on the basis that adequate rules of conduct are in force within the framework of companies and they belong to the same group (ie, binding corporate rules).

Other legal grounds for the transfer of personal data are provided for in:

  • the EU model clauses approved by the European Commission;
  • the EU-US Privacy Shield (for transfers to the United States);
  • legally binding and enforceable instruments between public authorities or bodies; and
  • approved codes of conduct and certification mechanisms.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Data subjects must be informed beforehand of the possible communication of their personal data to a third party or a category of third parties. The actual communication of data must rely on a valid legal ground. For example, in order to communicate data to a third party for its own direct marketing purposes, the data controller must seek specific consent beforehand. In other cases, the communication may be authorised, if not mandated, by law. A specific form of disclosure – which does not technically amount to a 'communication' in the reading of the law – is that between a data controller and a data processor, where the latter acts under the control and instructions of the former pursuant to a contract or EU or EU member state law that is binding on the data processor and contains the requirements set out in Article 28 of the GDPR.

Specific provisions in this respect are provided by Law 5/2018, which regulates the telemarketing sector. Where a data subject has registered with the registry of opposition to telemarketing, the law prohibits the use of lists of telephone numbers sold to third parties, regardless of whether the data subject’s consent to the communication of their data to third parties for marketing purposes was correctly collected.

Further, this law may be repealed by the new legislative decree aimed at implementing the GDPR, which is currently under revision.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

With the applicability of the EU General Data Protection Regulation (GDPR) (2016/679) penalties for data controllers may reach up to €20 million or, in the case of an undertaking, up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.

Pursuant to Article 58(2)(f) of the GDPR, the Data Protection Authority has the power to impose a temporary or definitive limitation on processing, including a ban.

In some instances, the ordinary courts may impose criminal penalties on natural persons.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes – individuals are entitled to compensation for loss suffered as a result of a data breach or non-compliance with the data protection rules by a data controller or processor, which will both be jointly and severally liable where the damage stems from the same processing activities performed by more than one controller or processor. As a rule, whoever causes material or non-material damage will be liable to pay damages. This liability stems from the exercise of dangerous activities, as provided for by Section 2050 of the Civil Code, which places the burden of proof on the subject which has allegedly caused the harm.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Italy has implemented EU Directive 2013/40/EC on attacks against information systems, which approximates its member states’ criminal law regarding:

  • illegal access to information systems;
  • illegal system interference;
  • illegal data interference;
  • illegal interception, incitement, aiding and abetting; and
  • attempts to commit one of the aforementioned offences.

The EU Directive on security of network and information systems (2016/1148/EC) has also been implemented. Further measures to be implemented regarding cybersecurity are those provided by the EU Directive on payment services in the internal market (2015/2366/EC). 

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Italian law establishes that providers of electronic communication services (eg, telecoms service, Voice over Internet Protocol and email service providers) must retain telephone and electronic communication traffic data, but not the content of communications, for 72 months from the date of the communication for the purpose of detecting and suppressing criminal offences.

Although EU Directive 2006/24/EC on the retention of data generated or processed by publicly available electronic communications services and public communications networks was abolished by the European Court of Justice in 2014, the relevant national implementing provisions are still in force.

The Data Protection Authority has also issued various decisions which are relevant in this respect. In particular, the authority issued a decision on system administrators in 2008, which obliges data controllers to appoint only persons fulfilling certain minimum professional requirements as system administrators to keep track of any person so appointed and monitor their activity.

Another decision issued in 2011 affects the banking sector and sets limitations aimed at ensuring confidentiality of financial information by, for example, mandating the tracking of banking operations issued by the employees and regulating personal data flows between:

  • banking companies that are part of the same group;
  • establishments that are part of the same bank; and
  • a single establishment.

It is unclear whether these decisions will be abolished by the legislative decree aimed at adjusting Italian law to reflect the EU General Data Protection Regulation (GDPR) (2016/679), which is currently under review.

Which cyber activities are criminalised in your jurisdiction?

The Criminal Code punishes activities such as:

  • computer fraud;
  • damages caused to computer or telematic systems;
  • dissemination of computer programs intended to damage or disrupt an IT system;
  • unauthorised access to a computer or telecoms system;
  • interception;
  • prevention or interruption of computer or electronic communications;
  • installation of equipment designed to intercept data;
  • prevention or interruption of computer or electronic communications; and
  • falsification, alteration or suppression of the content of computer or electronic communications.

Which authorities are responsible for enforcing cybersecurity rules?

The minister for home affairs and the heads of the central offices specialised in computer and IT matters – from the state police, the Carabinieri and the financial police to criminal prosecutors and the courts – are the responsible authorities.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Although no legislative framework governs rules and procedures for obtaining insurance against cybercrime, some insurers have started offering policies to companies and the trend is rapidly increasing. 

Are companies required to keep records of cybercrime threats, attacks and breaches?

Pursuant to Article 33(5) of the GDPR, data controllers must keep an updated inventory of personal data breaches, including:

  • the circumstances of the breach;
  • its consequences; and
  • the measures adopted to remedy the breach.

The Data Protection Authority has stated it will provide templates and guidelines to facilitate compliance with such obligation.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

In case of a data breach, the data controller must, without undue delay and, where feasible, no later than 72 hours after having become aware of the breach, notify the Data Protection Authority. Similarly, the data processor must notify the data controller without undue delay after becoming aware of a breach.

The Data Protection Authority need not be informed of a breach where it is unlikely to pose a risk to the rights and freedoms of data subjects. The Article 29 Working Party provided guidance on how to properly assess the level of risk involved in a data breach in its guidelines on personal data breach notifications under the GDPR. The document also offers guidance on the other obligations involved in the case of a data breach.

Moreover, in two General Application Orders (General Application Order Concerning Biometrics of 12 November 2014 and General Application Order Concerning Electronic Health Files of 4 June 2015) the Data Protection Authority set out an obligation for data controllers to report breaches concerning, respectively, biometric data, which will take place within 24 hours of becoming aware of the event; and data contained in Electronic Health Files, which will take place within 48 hours from becoming aware of the event).

Finally, the EU Directive on security of network and information systems (2016/1148/EC) introduces for operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services) a new incident notification regime which requires such operators and providers, respectively, without undue delay, to report incidents having a significant impact on the continuity of the essential services they provide without undue delay, and to notify incidents that have a substantial impact on the provision of a service they offer in the European Union.

A similar obligation is provided in the EU Directive on payment services in the internal market (2015/2366/EC).

Are companies required to report cybercrime threats, attacks and breaches publicly?

There is no general requirement to report cybercrime threats, attacks and breaches to the general public. However, in case of a data breach, the data controller must, without undue delay and, where feasible, no later than 72 hours after having become aware of the breach, notify the Data Protection Authority. Similarly, the data processor must notify the data controller without undue delay after becoming aware of a breach.

The Data Protection Authority need not be informed of a breach where it is unlikely to pose a risk to the rights and freedoms of data subjects. Conversely, when a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the data controller must communicate the breach to the data subjects concerned without undue delay. The Article 29 Working Party provides guidance on how to properly assess the level of risk involved in a data breach in its guidelines on personal data breach notification under the GDPR. The document also offers guidance on the other obligations involved in the case of a data breach.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

According to the Criminal Code, offences related to the security of networks, as well as to computer or telematic systems, are punishable by fines of up to €10,329 and imprisonment for up to eight years.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Failure to comply with the obligation to report data breaches to the supervisory authority or, where applicable, the affected individual, may trigger an administrative penalty of up to €10 million or, in the case of an undertaking, up to 2% of its total worldwide annual turnover for the preceding financial year, whichever is higher.