On August 10, 2018, the Italian Legislative Decree no. 101/2018 (the “Legislative Decree”) adapting the Italian data protection legislation previously in force to the General Data Protection Regulation (“GDPR”) has been finally approved – after a long waiting period – and will come into force on September 19, 2018.
The Italian legislator has decided to provide for a partial and not a total repeal of the former Legislative Decree 196/2003, known as “Privacy Code”, keeping the provisions of the Privacy Code already aligned to the content of the GDPR.
Here below a summary of the key provisions of the Legislative Decree no. 101/2018:
- administrative sanctions (article 22, §13): for the first 8 months starting from the date of entry into force of the Legislative Decree, the Italian Data Protection Authority will adopt a gradual approach in applying the administrative sanctions – in so far as it is compatible with the provisions of GDPR – in view of the fact that this will be the first application phase of the sanctions;
- criminal sanctions for infringement of data protection rules (articles 167 bis and 167 ter): the Legislative Decree confirms the importance of the criminal sanctions provided for by the Privacy Code and introduces new types of criminal offence (g. the unlawful disclosure and diffusion of personal data processed on large scale and fraudulent acquisition of personal data processed on large scale). In particular, the unlawful disclosure and dissemination of personal data processed on large scale consists of communication or diffusion of an automated data file, or a substantial part thereof, containing personal data being processed on a large scale in order to achieve a profit for themselves or others or in order to cause damage to third parties; the fraudulent acquisition of personal data processed on large scale consists of the acquisition by fraudulent means of an automated data file or a substantial part thereof, containing personal data being processed on a large scale. Both offences are punished with the sanction of the imprisonment (for a period of between one and six years in case of unlawful disclosure and diffusion of personal data on large scale, and between one to four years in case of fraudulent acquisition of personal data on large scale);
- data concerning health, biometric data, genetic data (article 6): in continuity with the significant practice of the Italian Data Protection Authority (one of the most productive in EU), the processing of such kind of personal data will be carried out in accordance with the safeguard measures enacted by the same Authority every two years. This provision is of key importance for companies processing special categories of data relying on previous authorizations pursuant to the Privacy Code. Indeed, these companies will need to take into account the safeguard measures provided by the Data Protection Authority when processing these data;
- children’s consent (article 2 quinquies): the Legislative Decree reduces to 14 years the minimum age for giving a legitimated and autonomous consent in relation to the offer of the information society services directly to children. Where children are below the age of 14 years, such processing is lawful to the extent that consent is given or authorized by the holder of parental responsibility;
- simplified modalities of compliance with the GDPR for small and medium-sized enterprises (article 154 bis,§4): the Italian Data Protection Authority will promote through guidelines simplified measures for SMEs to comply with the GDPR;
- codes of ethics and general authorizations (Articles 20 and 21): the previous provisions of the code of ethics will continue to produce effects until the approval’s procedure conducted by the Italian Data Protection Authority, while in relation to the general authorizations provided for by the previous Privacy Code the Legislative Decree draw a distinction. The general authorizations on matters delegated by the GDPR to the Member States regarding data processing necessary for compliance with a legal obligation to which the controller is subject or for a performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (specifically pursuant to Articles 6.1 (c) and (e) and 9.2 (b) and (4) as well as Chapter IX of the GDPR) are subject to a verification procedure of compatibility with the GDPR, and they will apply until the publication of an order by the Italian Data Protection Authority. Whereas, the other general authorizations other than those indicated above will cease to produce effects from the date of entry into force of the Legislative Decree.
What happens with the pending proceedings before the Italian Data Protection Authority at the date of 25 May 2018 (date of application of the GDPR)? The Legislative Decree establishes a simplified procedure to define them, by paying two-fifths of the sanction provided for by the former Privacy Code within 90 days from the date of entry into force of the Legislative Decree.
In the light of the above, we suggest the companies to take into serious account the new provisions of the Italian data protection legislation that integrate those provided by GDPR. Indeed, not only these provisions are mandatory but they also clarify and simplify many of the fulfilments introduced by the GDPR. Therefore, in order to achieve a full compliance with the applicable data protection legislation it is necessary that the adaptation process to the GDPR already carried out by the companies before the 25 May 2018 will also take in due account the further provisions of the Legislative Decree no. 101/2018 as well as the clarifications, guidelines and measures that will be issued by the Italian Data Protection Authority in the near future on the basis of the Legislative Decree.
For further information, please contact Carlo Impalà (Carlo.Impala@MorriRossetti.it), Head of the Digital-ICT and Data protection team.