The “Garante per la protezione dei dati personali” (Garante) is an independent authority responsible for monitoring the application of the laws and regulations applicable to data processing in Italy, including under the GDPR.
The powers of the Garante include the following:1
- Control:2 the Garante verifies whether data processing operations are carried out in compliance with applicable laws and regulations. The Garante receives and resolves complaints by data subjects;
- Information and promotion:3 the Garante promotes the understanding by the public of the risks, rules, safeguards, and rights in relation to data processing as well as the awareness of the obligations imposed on data controllers and processors by the GDPR;
- Management, consulting and cooperation:4 the Garante issues and manages lists and registers related to breaches of the GDPR. It can advise the Italian Parliament, the Government, and other institutions and bodies on legislative and administrative measures, and cooperates with data protection authorities in other jurisdictions;
- (Sub)legislative integration:5 the Garante can adopt standard contractual clauses which may be used in relation to data processing and can approve binding corporate rules applicable to certain groups of undertakings or businesses.
- Investigation:6 in pursuance of its investigatory powers the Garante can request information or documents from data controllers, data processors data subjects or third parties. The Garante can also compel access to databases and filing systems.
- Investigative: a DPA can conduct investigations to ascertain compliance with data protection rules. In the exercise of its investigative powers, a DPA can compel the controller and the processor to provide information, it can carry out reviews on certifications, notify the controller or the processor of alleged breaches of the GDPR, obtain access to all personal data held by the controller and the processor, and inspect any premises of the controller and the processor.7
- Corrective: a DPA may issue warnings or reprimands to a controller or processor, order a controller or a processor to comply with the data subject’s requests who exercise their rights under the GDPR, compel the controller or the processor to bring processing operations into compliance with the provisions of the GDPR, order the controller to notify a personal data breach to the data subject, impose temporary or definitive restrictions including a ban on processing, order the rectification or erasure of personal data, order the withdrawal of a certification, impose administrative fines, and order the suspension of data flows to a recipient in a third country or to an international organization.8
- Authorization and advisory: a DPA may advise the controller, issue – on its own initiative or on request – opinions to the relevant national parliament, government or other institutions, authorize data processing for the performance of a task in the public interest, issue opinions and approve draft codes of conduct, issue certifications and approve criteria of certification, adopt standard data protection clauses, authorize contractual clauses and approve binding corporate rules.9
1 Articles 154 and 154bis of Italian Data Protection Code.
2 This includes tasks listed at a), f), i), v) par. 1, Article 57 of GDPR and at a), b), f), g), par. 1, Article 154 of Data Protection Code.
3 This includes tasks listed at b), d), e) m), n), par. 1, Article 57 of GDPR and at c), e) par. 1, Article 154 of Data Protection Code.
4 This includes tasks listed at c), g), h), k), l), o), t), u) par. 1, Article 57 of GDPR and at d) par. 1 and par. 2-4, Article 154 of Data Protection Code.
5 This includes tasks listed at j), p), q), r) and s) par. 1, Article 57 of GDPR.
6 Article 157 of Data Protection Code.
7 Article 58, par. 1, of GDPR.
8 Article 58, par. 2, of GDPR.
9 Article 58, par. 3, of the GDPR.