In Short

The Situation: The Legislative Decree 101/2018 ("Harmonization Decree") harmonizes the Italian data protection laws with the General Data Protection Regulation (EU) 679/2016 ("GDPR") provisions. It was enacted and became effective on September 19, 2018.

The Result: The Harmonization Decree extensively modifies and supplements the Italian Privacy Code to render it compliant with the GDPR.

Looking Ahead: The Italian legal framework on data protection will still encompass the Privacy Code (as modified by the Harmonization Decree), in addition to the GDPR provisions, which are directly applicable in all Member States.

The Harmonization Decree was published on September 4, 2018, and entered into force on September 19, 2018.

The Italian legislator took the approach of maintaining the Italian Privacy Code in full force and effect in Italy (even though it was significantly modified and supplemented by the Harmonization Decree), together with the GDPR provisions, which became directly applicable in all Member States as of May 25, 2018.

The Harmonization Decree incorporates the provisions of Legislative Decree No. 196/2003 ("Italian Privacy Code") for those aspects that the GDPR delegates to the Member States, and sets forth transitional provisions to regulate the transition at a national level from the pre-GDPR regime to the future regime.

The most relevant provisions of the Harmonization Decree are summarized below.

Integrations to the GDPR and Amendments to the Italian Privacy Code

  • Data processing operations carried out in the performance of public interest tasks or the exercise of public powers can only be based on a provision of law or, where provided for by the law, a regulation.
  • Processing of judicial data related to criminal convictions is only allowed if authorized by law or regulation.
  • The Italian Data Protection Authority ("Italian DPA") will issue, on a two-year basis, specific safety measures (including pseudonimization, encryption, minimization, etc.) regarding the processing of biometric data, genetic data, and health-related data aimed at safeguarding the rights of the data subjects.
  • The age of consent for information society services is reduced to 14 years.
  • To enforce their rights, data subjects are given the option of advancing a claim vis-à-vis the Italian DPA or, alternatively, an appeal vis-à-vis the ordinary judicial authority.
  • The rights of the data subjects provided for under Articles 15-22 of the GDPR may be limited or excluded in certain specific cases, where they conflict with certain law provisions such as those on anti-money laundering, defensive investigations, exercise of a right in court, whistleblowing, etc.
  • Data controllers and data processors may assign specific data processing tasks or functions to individuals belonging to their organization, expressly designated to this effect. The role of "persons in charge for the processing" has been reintroduced, even though the appointment is now voluntary and no longer mandatory.
  • The Italian DPA will issue guidelines containing simplified measures for complying with the GDPR addressed to micro-, small-, and medium-sized companies.
  • The administrative fines set forth by the GDPR will also apply to violations of the provisions included in the Harmonization Decree.
  • Criminal sanctions are supplemented by the introduction of new criminal offences, such as communication and disclosure of personal data on a large scale, and fraudulent acquisition of personal data processed on a large scale.

Transitional Provisions

  • For the first eight months after the effective date of the Harmonization Decree, the Italian DPA will take into consideration, in the application of the administrative sanctions provided for by the GDPR, the phase of first application.
  • The Codes of Conduct already approved by the Italian DPA for specific sectors will continue to be valid and effective until new ones are approved.
  • The Italian DPA will identify, by means of a general order subject to public consultation, the provisions included in the general authorizations for the processing of sensitive data (issued under the pre-GDPR regime), which are compatible with the GDPR provisions, no later than 90 days from the effective date of the Harmonization Decree.
  • The general decisions and guidelines issued by the Italian DPA will continue to apply as long as they are not in conflict with the GDPR or with the Harmonization Decree.
  • Proceedings that are still pending as of the date of the entry into force of the Harmonization Decree may be settled by paying a reduced fine.

Three Key Takeaways

  1. The Harmonization Decree: (i) amends and integrates the Italian Privacy Code on those aspects that the GDPR delegates to the Member States; and (ii) sets forth transitional provisions governing the transition from the pre-GDPR regime to the future one.
  2. The general decisions and guidelines issued by the Italian DPA over the years will continue to apply as long as they are compatible with the GDPR or the Harmonization Decree.
  3. There will be no grace period in the application of the GDPR fines; however, for the first eight months, the Italian DPA will take into consideration the phase of first application of such fines.