.jpg)
The new European Community Regulation on the processing of personal data (General Data Protection Regulation, abbreviated GDPR, EU Regulation 2016/679) will come into effect from May 25th, 2018, without the need for national standards which transpose it, and will replace the Code of Privacy (Legislative Decree no. 196/2003) previously in force.
GENERAL PRINCIPALS
Accountability
The new regulation is still rooted in the general principles of the former Privacy Code (necessity, lawfulness, fairness, adequacy, transparency and relevance in the treatment of personal data, but is based in particular on the concept of accountability, which presupposes a careful ex-ante evaluation of the risks for privacy and the obligation for those who use and process the personal data of others to prepare adequate and sufficient measures (no longer minimum measures) that guarantee data security.
What are adequate and sufficient measures?
There is no predetermined and exhaustive list, nor an official and preventive control on the measures taken by the data holder. The holder is required to decide independently what measures are sufficient, under his own responsibility. To this end, they will have to turn to truly experienced professionals and take the decision to adopt the most modern, safe and up-to-date software and technology. They will therefore have to invest in innovation, without settling for low-cost solutions, and also adopting non-mandatory measures as well. For example, it may be useful, as suggested by the Privacy Guarantor, to have a Register of processing activities (which will be discussed below), even if it is not required to keep this document under the new European regulation.
In the event of an inspection each company must be able to immediately and clearly document which personal data it processes; the purpose and the modalities of processing; security measures and warranty procedures related to privacy; who the people are with the responsibility or the task of data processing.
What do companies need to do to conform with new regulations?
In order to avoid sanctions each company must:
• Carefully analyse the personal data processed;
• Identify the people who process data and gather information on specific ways of processing;
• Identify the risks of stealing or unnecessary data disclosure;
• Identify the damages that those affected could suffer from the processing and / or loss of personal data;
• Take measures to avoid damaging problems, theft and unwanted disclosures;
• Provide procedures and forms relating to information, collection of consent, revocation of the same, deletion and transportability of data;
• Adapt internal policies to the needs of privacy;
• Detail information, assessments and procedures described above in writing.
• Prepare the Privacy Impact Assessment, keep a data processing register and appoint a Data Protection Officer where prescribed under the new provisions which will be discussed below
GENERAL OBLIGATIONS
Disclosure Requirement
Personal data must be processed lawfully, correctly and transparently (Article 5 of the Gdpr). The person concerned must be informed concisely of the processing it undergoes in an easily accessible and understandable way.
The information must be given to the interested party in writing or by other means (including electronic ones) and must contain:
• the purposes and methods of data processing;
• the mandatory or optional nature of the provision of the data;
• the consequences of a refusal to provide data;
• the identification details of the holder and managers;
• the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it;
• a person's right to access to data and the ability to ask for its removal;
• the right of the holder to transport the data to another manager or provider;
• the data conservation period;
• the right to make complaints about data management.
The consent of the parties concerned.
When it is not necessary. Consent is not required when data processing:
• concerns a concluded contract between the holder and the interested party;
• it is necessary to safeguard a legitimate interest of the holder or the vital interest of the subject to which the data belongs;
• concerns the fulfilment of a legal obligation of the individual (e.g.: social security or insurance contribution).
How it can manifest. In all other cases, the consent of the party concerned (of an age superior to 16 years) must be expressed in a specific manner and with clarity, even orally or with a single click.
The consent is always revocable.
The holder must prepare a revocation procedure that is no more complicated than the provision of consent.
Profiling and marketing. Consumer profiling activities and more generally marketing profiling must always be expressly authorised. Silent consent is therefore not valid.
Rights of the parties concerned.
• access to data;
• opposition to it being processed;
• cancellation of the same and the right to be forgotten;
• limitations on the use of data and the portability of their treatment.
PEOPLE WHO PROCESS DATA
All parties who process personal data (even those that are not required to be named in the document called DPO, which we will talk about) must prove they ensure the privacy of the parties concerned before harmful events occur. These people are:
• the data controller, i.e. the person handling other people's data and with decision making powers on the use of the same;
• the data manager who must have the knowledge to guarantee the proper performance of his / her function, even if a specific qualification is not required or being registered in a particular trade;
• those in charge of the processing, i.e. those who physically process the data based on the provisions of the data controller and obeying the specific directives of the data manager.
The data manager. Performs processing operations on behalf of the holder and based on the general directives of the latter (Article 28 Gdpr). They make use of the people in charge of processing.
They can be an employed or self-employed worker but must act based on a specific contract. They can therefore be an employee (as a rule, a manager or a supervisor), a professional, a consultant. They can be a natural person or a juridical person. But if they are a juridical person, the reference natural person must be specified.
In the presence of cloud services, the manager can be identified with the provider.
There can only be one person responsible for a group of companies.
The manager may use a sub-manager, but only with the express authorisation of the holder.
OBLIGATIONS FOR CERTAIN PARTIES ONLY.
Keeping the Register of processing activities.
In the Register of processing activities (Article 30 of the Gdpr) all the measures adopted to guarantee the security of personal data must be reported. It is mandatory for all those with more than 250 employees or who process personal data, including convictions and crimes to keep such a register. The keeping of this register is also recommended by the Guarantor including for non-obliged parties to ensure compliance with accountability. The Registry in question must indicate:
• the categories of data processed and the purposes of the processing;
• security measures and data processing methods;
• company organisation charts, names of the holders, managers and processors, the roles of all those involved in the privacy procedures;
• the relationships between the various company functions;
• warranty procedures, forms and appeals concerning the protection of privacy.
DPIA (Data Protection Impact Assessment)
This is an in-depth evaluation, which must be carried out and documented by the subjects that will be indicated by the Privacy Guarantor, to identify the technical-organisational measures to be adopted to prevent the risk that the people concerned may suffer from the processing of their data (Article 35 Gdpr).
The DPO (Data Protection Officer).
Figure provided for in Article. 37 of the Regulations, to be distinguished from both the holder and the manager.
Who should nominate them? All public entities and private subjects whose main activities consist of processing that provide for large-scale monitoring of the subjects concerned or in any case the use of particular personal data, including data regarding crimes or convictions (Article 37, paragraph 1, letters b) and c)).
By way of example, these can be insurance, credit and credit information institutions; financial, business information, debt collection and auditing companies; supervisory institutions, trade unions, tax assistance centre, political parties, companies operating in the field of telecommunications and energy or gas distribution: companies providing work and personnel recruitment, hospitals and companies operating in the health and diagnostic field, call centres, companies providing services computer networks and providing television services.
Who can be DPO? No special qualification or specific training is required, but they must be a person with specific knowledge and skills. If they are an employee, they must be required to follow appropriate training and updating activities, the performance of which must be proven in writing.
An employed DPO must act based on a written designation deed that guarantees autonomy and independence, providing them with adequate resources (equipment, premises, personnel). They may also hold other positions, which must not however be in conflict of interest with the activities pertaining to the role of DPO.
The DPO can also be an external consultant or a juridical person (provided that a reference natural person is identified). They will have to operate based on a written service contract that indicates tasks, resources. Only one DPO may be appointed for a group of companies, provided that they are easily reachable from each establishment and effectively performs their role of guarantee and control.
Their appointment must be communicated to the Guarantor and their data can be made known to those who undergo the processing of their personal data only if said communication is deemed necessary by the manager or by the controller (however the contact details of the latter to have to be published).
VIOLATIONS AND SANCTIONS.
In case of violation of sensitive data
In case of violations of data that could endanger the freedom and rights of the subjects involved, the Privacy Guarantor must be informed immediately and in any case within 72 hours.
Sanctions and compensation.
There are administrative pecuniary sanctions, which can amount to a maximum of 20 million euros (or 4% of annual turnover if higher). The extent of the sanctions to be applied in concrete in relation to the various possible infringements should be established by specific regulatory provisions of the various member states, considering the type of data in question, the seriousness of the violation, the damage caused to the parties concerned, as well as 'pyschological element of the infringement and of any recurrence.
The powers of the Privacy Authority remain valid: verification, control, recommendation and prohibition of unlawful processing
(LC)
