From September 19, 2018, the legislative decree that adapts the Italian legislation to the GDPR is in force.
Thirteen questions and answers for public administration, companies and citizens.
From today the protection of personal data in Italy is regulated by the GDPR and by the new privacy code. The latter, to be precise, is the legislative decree n.101 of 10 August 2018 which comes into force today, 19 September 2018. To understand, concretely, the importance of the rule we will find the Legislative Decree 101/2018, for example, in public offices, in pharmacies, from the doctor to the curricula (even if CV is not mandatory).
The legislative decree, which completes the framework of the new European privacy, is full of provisions. Here we summarize the 13 main innovations.
Criminal penalties: imprisonment from six months to six years
- Illegal processing of data. “Unless the fact constitutes a more serious offense, anyone, in order to obtain for himself or for others profit or to cause damage to the interested party, operating in violation of the Regulations causes damage to the interested party, is punished with imprisonment from six months to one year and six months. And in severe cases up to three years.
- The fraudulent acquisition of personal data subject to large-scale processing is punished with imprisonment for one to four years.
- Illicit communication and dissemination of personal data processed on a large scale is punished with imprisonment for one to six years.
- Failure to comply with the Guarantor’s provisions is punished with imprisonment from three months to two years.
It will be the duty of the Privacy Guarantor to write the rules for the application of the administrative sanctions, provided for example, as stated in the legislative decree, for those who do not carry out the impact assessment on data protection – so-called DPIA)
“For the first 8 months from the date of entry into force of this decree”, reads in article 22, paragraph 13, “the Guarantor for the protection of personal data takes into account, for the purpose of applying administrative sanctions and to the extent that it is compatible with the provisions of the EU Regulation, of the phase of first application of the sanctioning provisions “, but does not mean that it will not be able to impose administrative sanctions that can be extremely high.
Small and large administrative penalties
The minor administrative fines can reach 10 million euros for individuals and businesses up to 2% of the annual global turnover if higher and concern violations of obligations for:
- The owner and manager of the treatment
- The certification body.
- the Code of Conduct Control Body.
The administrative fines of greater magnitude can reach 20 million euros for individuals or up to 4% of the annual worldwide turnover for companies, regardless of where the main office is located, which can also be outside Europe. Also for this reason, with the Gdpr in force Facebook could no longer get away with a new Cambridge Analytica case. In fact, these fines are triggered, for example, for the illegal transfer of data to third parties.
Simplified ways of fulfilling obligations for SMEs
In consideration of the simplification needs of micro, small and medium-sized enterprises, the Privacy Guarantor must promote simplified procedures for the fulfillment of the obligations of the data controller.
Children on social networks for 14 years without parental approval
In Italy from September 19th, those who are 14 years old can freely register on social networks and use instant messaging services (WhatsApp, etc.). This is another change contained in the text of the decree of adaptation to the Gdpr. Children under 14 need the consent of those who exercise parental responsibility.
The decree gives the green light to the processing of genetic, biometric and health-related data, which must take place by following the guarantee measures provided by the Privacy Guarantor.
The new privacy code strengthens the powers and increases the tasks of the Privacy Guarantor, for which the legislator has set the limit of 162 units for staff. News also for those who wish to become a member of the Authority: “ The College consists of four members, elected two by the Chamber of Deputies and two by the Senate of the Republic with limited vote. The members must be elected from among those who submit their candidacy in the context of a selection procedure whose notice must be published on the websites of the Chamber, the Senate and the Guarantor at least sixty days before the appointment. Applications must be received at least thirty days before the appointment and the curricula must be published on the same websites “. Finally, the form of protection guaranteed to those who believe they have suffered a violation of privacy has also changed: no more appeal , but the interested party can lodge a complaint with the Privacy Guarantor or contact the judicial authority.
Data for scientific research and for statistical purposes
The Guarantor Authority for the protection of personal data must also promote ethical rules for the processing of personal data for purposes of archiving in the public interest, scientific or historical research or for statistical purposes that can be carried out, here is the novelty introduced, even beyond the period of time necessary to achieve the various purposes for which the data were previously collected or processed
All judicial bodies are obliged to appoint the Data Protection Officer ( Dpo ).
The data of the deceased
The personal data of deceased persons can be exercised by those who have an interest of their own, or act to protect the interested party, as their agent, or for family reasons worthy of protection.
What happens now for all those provisions issued by the Guarantor for the protection of personal data prior to 25 May 2018 (such as, for example, those relating to video surveillance, system administrators, marketing, etc.)?
Starting from 25 May 2018, all the provisions of the Guarantor for the protection of personal data continue to apply, insofar as they are compatible with the GDPR and with the provisions of the new Privacy Code. Slightly different discussion, however, must be made for general authorizations, for which the Guarantor will have to decide on their compatibility with the new regulatory system – and possibly update them – within 90 days from the date of entry into force of Legislative Decree 101.
The legislative decree allows the facilitated definition of pending proceedings relating to administrative violations of the ‘old’ Privacy code, with the payment of a favorable oblation. There are 90 days to pay the reduced penalty for pending disputes. You can settle the account by paying the 2/5 of the minimum order. The deadline for payment of the amount is set on the ninetieth day from the entry into force of Legislative Decree 101/2018, therefore starting from today.
Do not take unnecessary risks waiting for the last moment to adapt, in the event of non-compliance with privacy obligations, the European Privacy Regulation provides for administrative fines of up to € 20,000,000 or up to 4% of the your turnover if greater than this amount.