Recent GDPR Developments in Italy

Can we say that Italy took the new privacy rules set out in GDPR seriously?

Italian businesses have carried out many preparatory activities in view of 25 May 2018, the date of full applicability of the European Union’s General Data Protection Regulation No. 679/2016 (“GDPR”): a large number of privacy policies have been amended and updated, Data Protection Officers have been appointed and mailing lists have been reviewed and updated to comply with the new provisions

After the first few months with the GDPR in full force, this article takes a critical look at the current state of affairs

Although the GDPR has direct effect in Italian law and thus required no implementation, the Italian Council of Ministers approved a Legislative Decree (no. 101/2018) with the purpose of harmonizing the Italian Privacy Code (D. Lgs. n. 196/2003) with the new GDPR provisions. The Italian decree entered into force on 19 September 2018.

There are several new provisions regarding amongst others the consent of minors, which in relation to the direct offer of “information society services” must be given by those exercising parental responsibility where a child is under 14 years; the legal basis for data processing have been identified in laws and regulations as well as in “the performance of a task carried out in the public interest or in the exercise of official authority”; privacy policies on the management of CVs must be provided to the candidate at the time of the “first useful contact”, after the candidate spontaneously sends the CV to a company/organization; privacy requirements for small to medium sized enterprises have been simplified; new penalties have been introduced in relation to unlawful data processing; illegal communication and disclosure of data processed on a large scale; violations of the provisions on remote controls and surveys of workers’ opinions, etc.

Moreover, based on a recent public notice from the Italian Data Protection Authority (“IDPA”), it appears that the number of complaints filed with the IDPA are up 42% since 25 May this year: more than 2.500 complaints and reports have already been filed with the IDPA compared to 1,795 received in the same period last year.

In addition, the IDPA has received more than 40,000 communications of DPO data and more than 300 cases of data breaches have been notified.

In conclusion it seems the GDPR provisions have evidently been taken very seriously by Italy becoming more and more widely applied, thus enabling more effective protection of personal data.