The processing of personal data is regulated in Italy by the Data Protection Code. This is a comprehensive piece of legislation which sets out (i) some general principles by reference to Regulation (EU) 2016/679 (GDPR) (for further information on the GDPR, please see here), and (ii) specific provisions concerning certain categories of data and other discrete topics (e.g. regarding health data, data processing in the judicial sector, the powers of the Italian Data Protection Authority, criminal sanctions for noncompliance etc. See below for more detail).
Definitions
Pursuant to the GDPR:1
- Personal data may include any information relating to an identified individual or individual who can be identified by reference to the data, directly or indirectly, in particular by reference to (i) an identifier such as name, an identification number, location data or an online identifier, or (ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
- Data subject is any individual whose personal data is collected, held or processed.
- Data processing consists of any activity involving personal data, i.e. gathering, processing or use of personal data. For additional information on what constitutes data processing, see here.
- Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Privacy Overview – Italy
In order to be compliant with the GDPR, entities must observe certain principles and constraints when conducting any data processing activity.
Personal data must, among other things, be (i) processed lawfully and fairly and (ii) collected for specific, explicit and legitimate purposes. Furthermore, the processing must be necessary and not excessive in relation to the purposes for which the data are collected, and the data must be stored for no longer than necessary for the purposes for which the data were initially collected.
Companies can process personal data only if and to the extent that the processing activities fall into at least one of the express conditions of lawfulness provided by the Italian Data Protection Code and the GDPR, which include, among others, (i) the data subject’s previous, informed and express consent to the processing operations,2 (ii) the necessity for compliance with the legal obligation to which the controller is subject; (iii) the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (iv) if the processing is aimed at establishing or defending a legal claim.3
- Information notice. Companies must provide the data subject, either orally or in writing, with the main information regarding the processing of his/her persona data, including: (a) the identification data concerning the data controller and the data protection officer, where applicable; (b) the purposes and legal basis for processing; (c) the entities or categories of entities to whom the data may be communicated; (d) the details and legal basis of the transfer of the data abroad where applicable; (e) the data retention period; (f) the list of the data subject’s rights, including the right to lodge a complaint with a supervisory authority; and (g) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
In practical terms, information and communication relating to the processing of personal data must be easy to access and understand, and clear and plain language must be used. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data, and how to exercise their rights in relation to such processing.
- Consent. Consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. Silence, pre-ticked boxes or inactivity do not constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for each of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Categories of personal data and health data
The GDPR provides for specific constraints in connection with processing activities involving some categories of personal data, which include health data.
- Special categories of personal data are those data which, by their nature, are particularly sensitive in relation to fundamental rights and freedoms (such as racial or ethnic origin, political opinions). Such personal data should not be processed, unless processing is expressly allowed by the laws.
- Criminal offence data represent sensitive data that must be processed with appropriate care, similarly to special categories of personal data. They are subject to specific rules and they do not benefit from similar exceptions as the aforementioned data.
Other principles
- Processing. The processing of personal data must be performed by persons/entities expressly appointed and instructed by the data controller or processor.4
- Security Standards. Companies are required to ensure appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.
Companies acting as data controllers or data processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the specific circumstances in which they operate, including state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for the rights and freedoms of data subjects.
Security measures may include the pseudonymization and encryption of personal data or procedures which ensure regular testing, assessment and evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Data Transfers. Companies are required to verify whether their data flow abroad is lawful because specific constraints apply in case of transfer of personal data from Italy or another country within the European Union to countries outside the European Union. These constraints may include, amongst others, the following: (i) the transfer may take place only if the third country in question ensures an adequate level of protection; and (ii) the data subject must grant his express consent to the transfer of personal data to the foreign parties.5 EU Standard Contractual Clauses (SCCs), binding corporate rules or Adequacy Decisions are some of the instruments that entities can put in place in order to secure data transfers. See also here on Cross Border Data Transfers.
- Data Protection Impact Assessment. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
- Recordkeeping. Most entities must keep written documentation of processing activities.
Specific provisions set out in the Italian Data Protection Code
The Data Protection Code regulates several specific areas and topics, namely:
• Data processing by the police (Title II)
• State defense and security (Title III)
• Data processing in the public sector (Title IV)
• Data processing in the health care sector (Title V)
• Data processing in the education sector (Title VI)
• Data processing for the purposes of archives of national interest, of scientific or historical research or for statistical purposes (Title VII)
• Data processing in the employment context (Title VIII)
• Other type of data processing in the public sector or in the public interest (Title IX)
• Electronic communications (Title X)
• Journalism, freedom of expression and information (Title XII)