With the resolution of 26 July 2018 (web document n.9025338) , the Privacy Guarantor intended to publicly disclose the criteria with which it will be operated, in the period July-December 2018 strong>, the inspection activity of the special team of the Guardia di Finanza in charge of checking and imposing sanctions for violation of current legislation.
It is no coincidence that this term is used since, just on September 4, and therefore following the aforementioned provision, the Legislative Decree no. 101 of 10 August 2018 of harmonization with respect to EU Reg. 16/679, which entered into force on 19 September .
Objectives and criteria of the measure:
- “… opportunity to orient the inspection activity, according to gradual criteria … on the most relevant treatments for size and concentration of data, as well as for their riskiness”.
This is the so-called “ sample ” control, which does not take place on citizens’ complaints or reports, but on an independent impulse from the Guarantor.
Well, in his provision he establishes that the control entrusted to the Guardia di Finanza will be addressed, among others:
- “… b) checks on subjects, public or private, belonging to homogeneous categories on the conditions of lawfulness of the treatment and on the conditions for consent if the treatment is based on this assumption , on compliance with the disclosure obligation and on the duration of data retention. This, also paying specific attention to substantial profiles of the processing that explain significant effects on the data subjects“.
The text underlines that, for example, practically all members of professional orders (and the same orders), such as labor consultants, accountants, doctors, lawyers, and certainly, also the directors of condominium. strong>
The latter, in fact, although they are not part of an established order nor are they enrolled in a special register, certainly carry out a professional activity specifically recognized and identified by law.
Category to which a specific regulation applies and which therefore can well qualify as a homogeneous category.
The condominium administrator, as well as all other homogeneous categories, will have to pay attention and demonstrate that they have made correct information available and to the cases in which the assumption of lawfulness of the treatment is necessarily based on consent (such as, for example, for the processing of particular (or “sensitive”) data in the event of a claim: art. 9 and 10 of EU Reg. 679/16).
Furthermore, it should not be underestimated also what was one of the main innovations introduced by the European legislator regarding the need to indicate the retention time of the data processed.
As mentioned above, on September 19 p.v. the new “privacy” legislative decree has entered into force.
It, among other things in Art. 22 no. 13 has:
- For the first eight months from the date of entry into force of this decree, the Guarantor for the protection of personal data takes into account, for the purposes of applying the administrative sanctions and within the limits in which it is compatible with the provisions of Regulation (EU) 2016/679, of the first application phase of the sanctioning provisions.“.
This can be reasonably interpreted as meaning that in this period the nucleus of the Guardia di Finanza in charge of the sample checks examined will tend to be more forgiving .
In fact, when imposing the sanction, it will probably take due account of and lighten the position of the owner or manager of the treatment, a series of factors:
- the initiation and scheduling of compliance and compliance procedures
- the adoption of specific personal data protection policies
- the adoption of security measures appropriate to the Privacy Risk
- the adoption of a Register of Treatments
- the drafting of all appointments of the Designated to the processing
- Website compliance
With regard to administrative sanctions, the new art. 166 (paragraphs 1-2), refers in general to art. 83, par. 4-5 of the European Regulation which, sets only the maximum limits of these amounts , in the two alternatives (depending on the group of standards violated) of € 10,000,000.00 / 2% of the annual global business turnover (if higher), and of € 20.000.000,00 / 4% of the annual global business turnover (ditto).
This is equivalent to saying that the Guarantor himself will establish, in concrete terms, the amount of the financial penalty in relation to the violation found in the inspection.
Fonte https: www.condominioweb.com
Do not take unnecessary risks waiting for the last moment to adapt, in case of non-compliance with privacy obligations, the European Privacy Regulation provides for administrative fines of up to € 20,000,000 or up to 4% of your turnover if greater than this amount.