Data Privacy and Cybresecurity

GDPR Guide to National Implementation: Italy

A practical guide to national GDPR compliance requirements across the EEA

Article
|
24 min read

Italy

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

Old legislation has been updated.

———

(b) Relevant legislation includes:

  • Legislative Decree No. 101/2018 setting out rules adapting Italian law to the GDPR, which amended Legislative Decree No. 196/2003 setting out the Italian privacy code (the “Italian Privacy Code”)
    • Date in force: 19 September 2018
    • Link: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been revised.

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

The rights set out in Arts. 15-22 GDPR may be exercised with respect to deceased persons by a person who has an interest of his or her own (e.g., heirs, executors, etc.) or is acting as a representative to safeguard the deceased person or their family’s interests. Exercise of such rights is not permitted where the data subject has expressly refused consent to the processing of his or her personal data. This does not affect the inheritance rights of third parties arising from the death of the data subject, nor does it affect their right to process personal data in order to defend themselves in court.

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

The DPA is tasked with promoting the adoption of rules regarding the processing of personal data in order to:

  • comply with a legal obligation (in accordance with Art. 6(1)(c) GDPR); or
  • for the performance of tasks carried out in the public interest in the exercise of official authority vested in the controller subject (under Art. 6(1)(e) GDPR).

Compliance with these rules is a legal requirement in respect of such processing. The rules govern processing of personal data in the context of journalistic activity, historical research purposes, statistical purposes in the context of the National Statistics System, statistical and scientific research purposes, and defence investigations.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

Sharing of personal data (other than sensitive personal data) among controllers for the performance of tasks in the public interest (or in the exercise of official authority vested in the controller) may only be carried out if authorised by law, or if:

  • it is necessary for the performance of tasks of public interest or the carrying out of institutional activities;
  • the sharing has been communicated to the DPA; and
  • 45 calendar days have passed from such communication without the DPA having requested the implementation of specific measures to protect the interests of the data subjects.

Disseminating or sharing personal data, which is processed for the performance of tasks carried out in the public interest (or in the exercise of official authority vested in the controller), to persons who intend to process such data for other purposes, may take place solely on the basis of a specific legal (or regulatory) provision.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

The same rules outlined in Q3(b) above apply with regard to processing of personal data for the performance of tasks carried out in the public interest.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

14 years of age.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

Genetic data cannot be processed by an employer for the purposes of establishing employees’ or candidates’ working capacity, even if that person’s consent has been obtained.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

The processing of sensitive personal data in the employment context is only permissible:

  • in order to perform, or enforce performance of, specific obligations under applicable laws, regulations or collective agreements;
  • for account-keeping purposes or the payment of salaries and compensation;
  • for the protection of either the employee’s, or a third party’s, vital interests;
  • for the establishment or defence of legal claims;
  • in order to fulfil obligations resulting from insurance contracts against risks related to employers’ liability for occupational health and safety and occupational diseases, or against any damage caused to third parties in the exercise of labour or professional activities;
  • in relation to affirmative action policies in the employment sector; or
  • in order to pursue specific, legitimate purposes as set out in the by-laws of associations, organisations, federations or confederations representing employers’ categories, or in collective agreements with regard to the support provided by trade unions to employers.

With respect to curricula vitae that are spontaneously submitted by applicants, the employer should provide its public-facing privacy notice to the applicants at the point of first contact. Consent is not required as a legal basis for processing any sensitive personal data in a curricula vitae or application if the processing is necessary for the performance of contractual or pre-contractual requirements, pursuant to Art. 6.1(b) GDPR.

(ii) Substantial public interest

The Italian Privacy Code provides a list of processing activities which are deemed necessary for reasons of substantial public interest (e.g., access to administrative files, operation of public registry offices, exercising active and passive political rights, ensuring diplomatic protection, exercising investigation/ inspection and fining powers, administrative or judicial protection, provision of healthcare service, performance of tasks related to occupational hygiene and safety and public health). Outside the scope of the above list, processing of sensitive personal data necessary for reasons of substantial public interest is permitted in the instances provided pursuant to either EU or national laws and regulations specifying:

  • the types of data that may be processed;
  • the tasks that may be carried out;
  • the relevant substantial public interest; and
  • the specific appropriate measures for the protection of the interests and fundamental rights of the data subject.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

The processing of sensitive personal data is permissible if that processing is required, inter alia, in order to:

  • satisfy specific obligations under European regulatory framework, laws, regulations or collective agreements, especially with respect to the setting-up, management and termination of employment relationships or in order to grant benefits or contributions, or to apply provisions related to social security and assistance, including social allowances, occupational hygiene and safety, taxation and trade unions; and
  • fulfil obligations resulting from insurance contracts against risks related to employers’ liability for occupational health and safety and occupational diseases, or against any damage caused to third parties in the exercise of labour or professional activities.

(iv) Public interest in the area of public health

Processing of health data must be carried out in accordance with the specific safeguards for the processing of health data adopted by the DPA, and any other applicable legislation. The safeguard measures for the processing of health data are updated every two years. References to the need to obtain consent from data subjects have been deleted from the Italian Privacy Code.

The obligation to provide notice to affected data subjects continues to apply. General practitioners must also inform patients of data processing with regard to electronic health records, which are still subject to consent, and to records and surveillance required by law. In the event of a public health emergency, data subjects may be provided with notice promptly after the provision of the relevant treatment.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

Processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes may continue for a longer period than the period for which those data were necessary in relation to the purpose for which they were originally collected.

Personal data collected for archiving or historical research purposes may not be used to take administrative action, or to adopt measures unfavourable to the data subject, unless those data are processed in accordance with Art. 5 GDPR.

The DPA promotes the adoption of rules concerning the processing for archiving purposes in the public interest, historical research purposes, and statistical or scientific research purposes. The Italian Privacy Code includes rules concerning processing of personal data for these purposes.

With respect to the processing of sensitive personal data for scientific research or statistical purposes, when the processing is not necessary for reasons of substantial public interest, consent can be obtained from data subjects in a simplified written form (and must be retained by the controller for three years).

Processing of health data can take place without the data subject’s consent, for the purposes of medical research, subject to appropriate safeguards and the conduct of an Impact Assessment. Medical research programmes are subject to the oversight of the relevant medical ethics committees, and require prior consultation with the DPA.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

The processing of health data (as well as genetic and biometric data) must be carried out in accordance with specific safeguards (e.g., encryption, pseudonymisation, other security measures, minimisation measures, selective access) adopted by the DPA (and updated every two years), taking into account:

  • guidelines and best practices published by the EDPB;
  • scientific and technological developments in the relevant sector; and
  • the principle of free movement of personal data in the EU. The DPA has adopted specific safeguards in respect of:
  • healthcare organisation and management;
  • methods of communicating a diagnosis to patients; and
  • medical prescriptions.

Dissemination of health data (as well as genetic and biometric data) is prohibited.

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Criminal data may only be processed:

  • under the supervision of the relevant public authority; or
  • where authorised by a provision of applicable law or regulation, providing appropriate safeguards for the rights and freedoms of the concerned persons.

No such regulation has yet been adopted in Italy.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

Processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes may continue for a longer period than the period for which those data were necessary in relation to the purpose for which they were originally collected.

Under the rules regarding processing of personal data for statistical purposes in the context of the National Statistics System, statistical and scientific research purposes, the controller must take note of erasure requests (and any other request under Art. 15 et seq. GDPR) without amending the data originally added to the archive.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

Under the rules regarding processing of personal data for statistical purposes in the context of the National Statistics System, statistical and scientific research purposes, where the personal data have not been obtained directly from the data subject, and the provision of the information under Art. 14 GDPR would be particularly burdensome, the controller may use alternative means such as publication of the necessary information in a newspaper or on television.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The rights of individuals under Arts. 15-22 & 77 GDPR cannot be exercised if it would result in a material damage to:

  • interests protected under the provisions on money laundering;
  • interests protected under the provisions on support for victims of extortionate requests;
  • the activities of parliamentary committees of inquiry;
  • statutory activities of a public body (other than public economic bodies) relating to monetary and currency policy, payment systems, the supervision of intermediaries, credit markets, and financial markets, and the protection of their stability;
  • the conduct of defense counsel investigations, or the exercise of a right in court; or
  • the confidentiality of the identity of whistleblower employees.

In relation to the processing of personal data carried out in legal proceedings, the rights and obligations referred to in Arts. 12-22 & 34 GDPR may be delayed, limited or excluded, with reasoned notice and given without delay to the person concerned (unless such notice is likely to compromise the purpose of the limitation) to the extent and for the time that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the person concerned, to safeguard the independence of the judiciary and judicial proceedings.

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

Processing of health data can take place without the data subject’s consent, for the purposes of medical research, subject to appropriate safeguards and the conduct of an Impact Assessment. Medical research programmes are subject to the oversight of the relevant medical ethics committees, and require prior consultation with the DPA.

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

The DPA may set out safeguards to be adopted in the context of processing for the performance of a task carried out in the public interest.

Medical research programmes are subject to the oversight of the relevant medical ethics committees, and require prior consultation with the DPA.

The DPA may authorise processing of personal data (including sensitive personal data) by third parties for scientific research or statistical purposes, when informing the data subjects may prove impossible, require disproportionate efforts or endanger the research purposes, subject to appropriate safeguards (e.g., minimisation and anonymisation).

Sharing of personal data among controllers for the performance of tasks in the public interest (or in the exercise of official authority vested in the controller), in the absence of a specific legal or regulatory obligation to do so, can only be carried out after the DPA has been notified and has not responded within 45 calendar days.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

Judicial authorities must appoint a DPO with respect to the processing of personal data by them in the performance of their functions.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

There are no specific secrecy obligations imposed on DPOs. However, the performance of the DPO’s tasks and the fiduciary relationship with the management and employees are subject to confidentiality obligations. Lawyers who act as DPOs have secrecy obligations under applicable bar rules.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: Garante per la protezione dei dati personali

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

The DPA has the following additional powers:

  • the power to adopt guidelines on organisational and technical measures for the implementation of GDPR principles; and
  • the power to approve rules under the Italian Privacy Code.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

It is possible to challenge the decisions of the DPA by filing an appeal with the courts in the place where the controller is established.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

There are no specific rules on this issue.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

There are no specific rules regarding fines for public authorities.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

The DPA may impose fines of up to €10 million, or up to 2% of worldwide turnover in respect of:

  • failure to adopt measures provided for by the DPA in relation to processing activities carried out for the performance of tasks of public interest that present high risks;
  • failure to use clear and plain language for the purpose of obtaining valid consent for processing minors’ personal data with respect to the provision of information society services; and
  • failure to carry out an Impact Assessment in relation to medical research projects.

The DPA may impose heavier fines (up to €20 million, or up to 4% of worldwide turnover) in respect of:

  • unlawful processing of personal data relating to deceased persons;
  • failure to obtain a valid consent for processing minors’ personal data in relation to the direct offer of services of the information society; and
  • dissemination of biometric, genetic and health-related data.

With regard to applicable criminal penalties, the Italian implementation law:

  • imposes criminal penalties (e.g., in relation to the unlawful processing of sensitive data, or the unlawful international transfer of data) ranging from a minimum of six months’ to a maximum of three years’ imprisonment;
  • introduced the crime of unlawful communication and disclosure of personal data processed on a large scale, publishable by a minimum of one year to a maximum of six years’ imprisonment;
  • introduced the crime of fraudulent acquisition of personal data being processed on a large scale, publishable by a minimum of one year to a maximum of four years’ imprisonment;
  • revised the existing provisions on false declarations to the DPA, and interruption of the execution of the tasks or the exercise of the powers by the DPA, applying penalties ranging from a minimum of six months’ to a maximum of three years’ imprisonment;
  • revised the existing provision concerning failure to comply with the provisions adopted by the DPA, applying penalties ranging from a minimum of three months’ to a maximum of two years’ imprisonment; and
  • revised the existing rules concerning the violation of the rules regarding remote surveillance and employees’ opinion surveys, applying penalties ranging from a monetary fine to a period of imprisonment of up to one year.

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

With regard to data processing carried out for journalistic, literary, artistic or academic purposes, the following do not apply:

  • the safeguarding provisions regarding the processing of health data and the general provisions regarding the performance of tasks carried out in the public interest (e.g., social protection and public health) that may result in a high risk to data subjects; and
  • the restrictions concerning international transfers of personal data.

In addition, sensitive personal data may be processed for these purposes without consent of the affected data subjects, on the condition that the requirements of the Italian Privacy Code are satisfied.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

See Q18(a) above.

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

There are no specific provisions governing this issue.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

The processing of employee data in the employment context (including sensitive personal data) is permissible where it is necessary:

  • in order to perform, or enforce performance of, specific obligations under applicable laws, regulations or collective agreements;
  • for account-keeping purposes or the payment of salaries and compensation;
  • for the protection of either the employee’s, or a third party’s, vital interests;
  • for the establishment or defence of legal claims;
  • in order to fulfil obligations resulting from insurance contracts against risks related to employers’ liability for occupational health and safety and occupational diseases, or against any damage caused to third parties in the exercise of labour or professional activities;
  • in relation to affirmative action policies in the employment sector; or
  • in order to pursue specific, legitimate purposes as set out in the by-laws of associations, organisations, federations or confederations representing employers’ categories, or in collective agreements with regard to the support provided by trade unions to employers.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

Employers may not collect or process (including through third parties) personal data for recruitment purposes with the aim of determining the political opinions, religious beliefs or trade union membership of the prospective employee, or other facts not relevant to the professional assessment of the prospective employee.

In addition, the use of CCTV, or other means of remotely monitoring employees, is restricted.

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

There are no other material derogations.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

On 4 April 2019, the DPA imposed its first fine of €50,000 for breach of the GDPR. The fine was issued for failure to adopt appropriate technical and organisational measures in breach of Art. 32 GDPR against a processor that provided services related to the operation of websites.

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

While the DPA has not yet issued formal guidelines concerning the application of the GDPR and the relative Italian implementation law, it has issued a general guide to GDPR implementation ((in Italian) see here).

———

[back to top of page]

 

 

White & Case contributors

Veronica Pinotti

Veronica Pinotti
Partner, White & Case
T +39 02 00688 410
E veronica.pinotti@whitecase.com

Veronica Pinotti has more than 20 years of experience in the area of EU competition and regulatory law and is a member of White & Case Global Data, Privacy & Cybersecurity Practice. She specialises in designing ad hoc compliance programmes covering risk assessment, monitoring of compliance risks, guidelines, policies, training, compliance communication, reporting, internal controls, evaluation of effectiveness of the programme, whistleblowing, and training of compliance manager and incident handling. Veronica provides strategic advice to international clients in various industries on compliance and risk assessment projects. She is very experienced in handling privacy matters and proceedings under EU and national applicable privacy laws and regulations and regularly advises and represents clients before the relevant authorities and courts.

Martino Sforza

Martino Sforza
Associate, White & Case
T +39 02 00688 342
E martino.sforza@whitecase.com

Martino Sforza is a member of the White & Case Global Data, Privacy and Cybersecurity Practice. Martino has extensive experience in assisting international clients on data privacy, antitrust, distribution, consumer protection and issues relating to regulated markets. Martino is highly specialised in privacy and data security matters. He routinely counsels clients on compliance with EU and national laws and regulations, including GDPR compliance, mechanisms for crossborder data transfers, including Privacy Shield, and data privacy and security policies and best practices. He represents clients before the relevant authorities and courts and provides strategic advice during audit and risk assessment activities, offering specific solutions and coordinating external counsels from other jurisdictions.

———

[back to top of page]

 

 

Other chapters

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP

 

Top