The Regulation applies to the owners and / or managers of the processing of personal data, having a factory within the European Union, regardless of whether the processing is carried out in the EU itself.
The new legislation will apply to all subjects present in the EU even when, although the company in charge of the treatment does not have an establishment in EU territory, the treatment itself concerns the offer of goods or the provision of services to the interested parties or the monitoring their online behavior, to the extent that such behavior takes place within the European Union.

Consent – an indispensable prerequisite for the lawfulness of the processing – can also be released by the interested party with automated systems; in fact, the Regulation deems appropriate “any manifestation of free, specific, informed and explicit will with which the interested party accepts, by means of an unequivocal positive declaration or action, that the personal data concerning him / her are processed” (art. 4 paragraph 11 ).
Furthermore, the owner must be able to prove at any time that the interested party has given his consent to the processing of his data; if the consent of the interested party is given in the context of a written declaration that also concerns other issues, the request must be distinguishable, understandable and easily accessible.
The interested party can withdraw their consent at any time and must be properly informed of this possibility.

• Consent of minors.
  The Regulation provides that in the direct offer of services of the information society to minors, the processing of personal data of the minor is lawful where he is at least 16 years old. The processing of personal data of minors under the age of 16 is lawful if and to the extent that consent is expressed or authorized by the parent or guardian.

Among the first innovations, a new professionalism that goes alongside the owner, the manager and the person in charge of data processing deserves particular attention. This new figure is that of the so-called Data Protection Officer (“DPO”), or the “data protection officer”.
The DPO must be mandatory within all:

a. public companies P.A. or assimilated;

b. companies or even professional offices where treatments present specific risks, such as those in which regular monitoring is required and
systematic of the “interested”, on a large scale, and those who treat the so-called Large-scale health or judicial “sensitive data”.

c. Companies belonging to the same group, at national or cross-border level, will be able to appoint a single DPO, provided that the same is easily accessible by each company in the group itself, so the figure of the DPO must be entrusted, with a service contract, between qualified personnel, internal or external to the company (outsourcing), but who is in the operating area of ​​the structure.

3.1 Who can perform the DPO task?

The DPO may be an employee of the company that owns the treatment (which is inadvisable given the requirement of functional and operational autonomy which is poorly reconciled with a subordinate relationship) or much better to opt for an external consultant capable of performing his / her duties on the basis of a CONTRACT OF SERVICES in full autonomy and independence.
In any case, each company must disclose the data of its DPO – which must be easily contacted by all the “interested” subjects (therefore the name must be included in the privacy information) – as well as communicate them to the local Guarantor for the protection of personal data.

3.2 What should the DPO do?

The DPO within the company will report directly to the Data Controller or in any case to the top management of the company, without intermediation, and with great autonomy and independence, with respect to the other managers concerned.
Main tasks of the DPO:

a) inform and advise the owner or manager of the treatment, as well as train (compulsory training) the employees and middle managers, on the obligations deriving from the Regulation;

b) verify the implementation and application of the legislation, in addition to raising awareness among staff and related auditors;

c) provide opinions and advice on the impact assessment (Privacy Impact) on data protection and monitor the related obligations;

d) act as a contact point for “interested parties”, regarding any issues related to the processing of their data as well as the exercise of their rights;

e) act as a contact point for the Guarantor for the Protection of Personal Data or, if necessary, consult the Guarantor on his own initiative with interpellations, opinions and questions.

Another important novelty is the introduction of the obligation, for each company owner of the processing of sensitive data, to keep a “register of processing activities” (also in electronic format) carried out under its own responsibility, in order to be able to
demonstrate the CONFORMITY of the technical (IT) and organizational security measures adopted in compliance with the provisions of the Regulation.
In this register must be reported:

i) the type and processing activities carried out under one’s own responsibility

ii) the purposes of the processing and their non-excess to the requirements

iii) a description of the categories of data subjects and the categories of personal data involved

iv) transfers of personal data to a third country or an international organization.

This fulfillment is required in relation to automated processing with IT tools, including profiling, or with regard to large-scale processing of particular categories of (sensitive) data, as well as with regard to data obtained from systematic surveillance, always on a large scale, of areas accessible to the public.
In any case, the Privacy Guarantor (as regards Italy) will draw up and make public the list of types of treatments subject to the requirement of the “impact assessment on data protection”.
They are exempted from some requirements, the more demanding ones, only some categories such as small SMEs and those who process simple data, without prejudice to the obligation to comply with the basic mandatory ones for anyone who processes data, especially with IT tools.
This exemption cannot also be applied to exempted persons when: “… the treatment they carry out may present a risk for the rights and freedoms of the data subject, the” treatment is not occasional “or” includes the treatment of categories details of (sensitive) data “… or personal data relating to criminal convictions …”. in the categories of data subjects and the categories of personal data involved.

The Regulation expressly recognizes the right to be forgotten, or the possibility for the interested party to decide that their personal data, no longer necessary for the purposes for which they were collected, are deleted and not further processed, in the event of revocation of the consent or when he has opposed the processing of personal data concerning him or when the processing of his personal data is not otherwise compliant with the Regulation.
In particular, in the text of the Regulation the right to be forgotten is transposed by art. 17, where it is sanctioned that the interested party has the right to obtain from the data controller the cancellation of personal data concerning him without unjustified
delay. In this case, the data controller is obliged to delete personal data without undue delay, if one of the following reasons exists:

i) the data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;

ii) the interested party withdraws the consent on which the treatment is based and there is no other legitimate reason to process the data;

iii) the interested party opposes the processing of personal data and there is no prevailing legitimate reason to proceed with the processing;

iv) the data have been unlawfully processed;

v) the data must be erased to fulfill a legal obligation under Union or Member State law to which the controller is subject;

vi) the data have been collected in relation to the offer of information society services.

Among the new rights of the interested party, the Regulation establishes the right to “data portability”. Thanks to data portability, the interested party therefore has the right to:
i) receive in a structured, commonly used and readable format (perhaps in OpenSource format) from an automatic device, the personal data concerning him provided to a data controller
ii) transmit this data to another data controller without hindrance, if the interested party has given his consent to the treatment or if this is necessary for the execution of a contract (telephony- internet- social)

The Regulation establishes the principle of “accountability”, or the reporting obligation for which the Company will have to demonstrate, effectively and concretely, the adoption of privacy policies and adequate measures in accordance with the Regulation.
The principle under examination is expressed in the EVALUATION:
a) of “transparency”, intended as a guarantee of complete accessibility to information, first of all for citizens, also as users of the service;
b) “responsiveness”, understood as the ability to account for choices, behaviors and actions and to respond to questions raised by stakeholders;
c) “compliance”, understood as the ability to enforce the rules (especially internally).
The new Regulation implements this principle in art. 22, which provides that, taking into account the nature, the scope, the context and the purposes of the processing, as well as the risks of varying probability and seriousness for the rights and freedoms of natural persons, the controller implements “technical (IT) measures e
adequate organizational to guarantee – and be able to demonstrate – that the processing of personal data is carried out in accordance with the Regulation “.
The Regulation introduces another important element of novelty by providing for the possibility for the data controller to resort to certification bodies (art.42), in order to demonstrate compliance with the obligations deriving from the Regulation itself.

With the Regulation, data protection becomes a strategic asset of companies that must be assessed, even when designing new procedures, products or services: this thanks to privacy by design and privacy by default.
The Regulation introduces:
a) the principle of “privacy by design”, from which the implementation of adequate technical and organizational measures derives both at the time of the planning and execution of the processing, so that data protection is effective throughout the life cycle of the technology, from concept to disposal;
b) the principle of “privacy by default”, which follows the principle of necessity set out in the current regulation, establishing that the data are processed only for the purposes envisaged and for the period strictly necessary for these purposes. Therefore, the principle of minimization of treatment and the principle of purpose and conservation are strongly reiterated.

An important novelty introduced by the Regulation is the obligation on the part of companies and professionals, in the event of violation or loss of personal data, to notify the Supervisory Authority without undue delay and, where possible, within 72 hours from the moment in which it came. aware of the violation of the data of the interested parties.
When the violation of personal data is likely to present a high risk for the rights and freedoms of natural persons, the data controller communicates the violation to the interested party without undue delay.
Today the obligation to notify the violation is foreseen only in some sectors (telecommunications provider); the Privacy Guarantor on 24.5.2016 published an infographic that offers a summary of the current obligations in case of violation of data breaches.

The Regulation, in addition to strengthening the powers of the national Guarantor Authorities, has tightened the amount of administrative fines, which may even reach 10 million Euros or up to 4% of the total annual global turnover.