DPI16_Banner_300x250 WITH COPY

The Italian DPA (Garante) has issued, following a public consultation, a decision that defines in detail the obligations for telephone companies and Internet service providers regarding possible cases of data breach, according to the relevant provisions contained in the Italian privacy law and in the European Directive 2002/58/EC.

Directive 2002/58/EC, otherwise known as the e-Privacy Directive, specifically applies to publicly available electronic communication services and complements the more general provisions of Directive 95/46/EC, the so-called Data Protection Directive. In brief, according to Article 4 of the e-Privacy Directive, as amended in 2009, the provider of publicly available electronic communications services shall notify the competent national DPA in the case of personal data breach without undue delay. In the most serious cases, the provider shall also notify the subscribers or other individuals likely to be adversely affected by the data breach. Providers shall also maintain an inventory of occurred personal data breaches to allow the DPA to assess the compliance with their obligations. Finally, the competent national DPA may adopt guidelines and issue instructions to the providers. These provisions were transposed in the Italian Data Protection Code (legislative decree No. 196/2003) with amendments introduced last year.

In this context, the Garante’s decision aims at providing indications and instructions on how to comply with the new obligations.

According to the Italian Data Protection Code, a personal data breach is “a security breach leading, accidentally or not, to the destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed in the context of the provision of a publicly available communications service.” This definition is wide, but it contains a few elements that permit to limit the scope of the new provisions. In particular, it clarifies that they apply to providers of publicly available electronic communication services and only in relation to the provision of such services, e.g. a telephone line or Internet access. This means that if the breach concerns data processed by the provider for other reasons, such as personnel management or accounting, the obligations do not apply. Besides, the scope of application of this provision does not include, for instance, entities directly offering electronic communication services to limited groups of individuals, e.g. public or private bodies that make use of telephone switching systems within a private enterprise (PABX), managers of Internet websites publishing contents on the ‘Net, so-called "content providers," search engines and all other entities that do not provide electronic communication services to the public. Conversely, mobile payment services, carried out through smartphones, etc., are explicitly included in the scope of the provision.

Providers must notify the Garante of every data breach incurred within 24 hours of its detection. If all the information required is not immediately available, providers must send a second, more detailed communication to the authority within three days from the first one. In order to comply with this obligation, the provider must fill in a questionnaire available on the Garante’s website. The information required includes a brief description of the data breach, date and place of the event, nature of the compromised data, estimated number of individuals involved, security measures that were applied to the compromised data, mitigating measures adopted by the provider, content and modalities of the communication to the customers where needed, etc.

Furthermore, providers must notify the customers or other persons involved within three days from the detection of the data breach, only when the accident is likely to adversely affect their personal data or privacy. Such communication is not required as far as the provider demonstrates to the Garante that it has implemented appropriate technological measures that render the data concerned by the breach unintelligible to any unauthorized person. To this end, the Garante suggests that providers shall carry out a structured risk assessment in order to identify and adopt the security measures needed to mitigate the possible effects of a data breach. Among these measures, the Garante points out that providers should delete or anonymize personal data when they are no more necessary for the purposes for which they were collected and processed; protect the data with the help of encryption or anonymization technologies, and pay particular attention to mobile devices, in view of the fact that, very often, security breaches involve mobile devices used by employees or suppliers outside the premises of the providers.

Whenever part of the electronic communication services have been outsourced to a different supplier/subcontractor, in case of personal data breach, the latter shall inform—within 24 hours—the service provider that has the direct contractual relationship with the subscribers in order to allow it to carry out its obligations.

The Garante acknowledges the difficulties concerning the assessment of the possible adverse effects of the data breach that shall be carried out by the provider  in order to determine whether the communication to customers or other involved persons is required or not. In order to facilitate this task, the Garante suggested that the providers should consider the following parameters:

  • security controls and measures that protect the affected data, e.g. encryption,
  • nature of the compromised data, e.g. password or other identification credentials, telephone traffic data, etc.,
  • circumstances of the event, e.g. unauthorized access, data loss or destruction, etc.,
  • possibility of identifying the data subjects, e.g. in the case of a breach of multiple data sets concerning the same individual, and
  • relevance and up-to-dateness of the compromised data.

Providers shall keep an updated inventory of personal data breaches including the circumstances of the breach, its consequences and the measures adopted to remedy the breach in such a way as to enable the Garante to assess the compliance with the above mentioned provisions.

A fine of up to 100,000 euros is provided for failing to notify the Garante in case of data breach, and a fine up to 1,000 euros, per individual involved, for failing to communicate, where needed, the event to the customer or other persons. These administrative sanctions may be increased up to four times if they may prove ineffective on account of the provider’s economic status.

Written By

Stefano Tagliabue, CIPP/E


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»