As of April 28, the Italian Data Protection Authority (Garante) released its first set of guidelines on the upcoming General Data Protection Regulation, which also takes into account the recent opinions issued of the Article 29 Working Party.

To this extent, the following paragraphs contains a summary of the indications that the Garante provided within its guidelines, with a particular focus on the main changes that may occur as of May 2018.

This, also with specific regards to the current national data protection legal framework set forth by the Italian Data Protection Code and the jurisprudence of the same Garante.

Consent

The Garante underlines that the provisions on consent of the GDPR pretty much recall the same requirements already set forth under the Code, with regards to the rules applying to all processing operations, as well as to the additional requirements for processing applicable to both private and public bodies.

In particular, as for personal sensitive data and profiling (i.e. Articles 9 and 22 of the GDPR), the Garante states that under the Regulation consent for processing shall become “explicit” and not just “expressed in written," as in the current code.

Although written consent is not mandatory under the GDPR, under the Garante's point of view it still represents a safer and more secure option for obtaining legal certainty of data subjects’ will to the processing. Data controllers dealing with particular categories of personal data and processing activities, i.e. data concerning health or profiling, should therefore consider the possibility to keep track of explicit consent also by means of written and unequivocal means, either in an electronic format or not.

Moreover, the Garante recommends that, in any case, consent requests shall always be clearly and easily formulated and distinguishable from other generic requests presented to the data subject, for example by means of ad hoc forms and documents. Also, they should put individuals in the condition to provide for a clear and specific sign with respect to the processing they want to be subject to or not.

Finally, the Garante recalls that the general rule of the code for which public bodies are exempted from the obligation to request data subjects’ consent for all those processing activities which are compliant with their institutional purposes, may be considered consistent with the GDPR.

Legitimate interest of the data controller 

In accordance with the accountability principle, the Garante specifies that the balance between the legitimate interest of the data controller and the fundamental rights and freedoms of the interested data subject should be left to the same data controller.

It seems that the institute of the balance of interests is going to play a very important role for a correct execution of the GDPR in the Italian legal system. In fact, aside from the specification on the principle of accountability, the Garante has also confirmed in substance the requirements set forth by some of its most relevant general orders and provisions on the balance of interests with regards to prior checking application, such as those on: video surveillance, biometric data processing, and online fraud prevention.

In addition to that, the Garante also made clear that the provisions of the Code specifically repealed by the Regulation shall not be considered in the balance for the legitimate interest, with particular reference to those on the obligation to notify the Authority some processing activities.

Information notice

Data controllers shall verify compliance of their information notice to the letter of Articles 13 and 14 of the GDPR before May 2018. To this extent, the Garante clarifies that the Regulation supports the use of simplified information notices and documents for providing data subjects with all the necessary information to explain the processing of their personal data, e.g., by using icons, signs, symbols, etc.

That was also a view that the Garante highlighted several times in the past by means of different orders and provisions on: video surveillance, biometric data processing and video surveillance with regards to banks. As a consequence, the Garante suggests to keep considering the above as an additional guidance for drafting information notices consistent with the letter of the GDPR.

As a final remark, given the importance of the accountability principle under the GDPR, the Garante recommends data controllers to refer to its guidelines and orders on the disproportionate effort to inform data subjects of a specific processing by means of a simplified information notice or, where applicable, a specific exemption.  

Rights of the data subjects

According to the Garante’s view, the set of rights enshrined in the GDPR is more extensive than that of code. However, in order to guarantee dynamic consistency with the current legislative framework, the Garante suggests data controllers keep taking into account for additional guidance its past orders on intelligibility, clarity and completeness of responses to provide to data subjects when they exercise their rights, i.e., with particular reference to those on personal sensitive data processing and electronic communication tools.

With regards to fees for the exercise of rights to be payed from data subjects, the Garante states that it will evaluate whether to adopt specific guidelines on the issue, consistently with its previous orders and jurisprudence, as well as considering article 70 of the GDPR relevant to the future European Data Protection Board tasks.  

Right to be forgotten and limitation of processing

The right to be forgotten set forth under the GDPR has a broader scope than the current right to erasure of the code. In fact, the data subject may ask for cancellation of his or her personal data also after withdrawal of consent has occurred. The Garante, as well as Italian courts, issued many orders and decisions on RTBF since the Google Spain case, however it is still to be seen whether such jurisprudence will survive the test of time after the entry into force of the GDPR as of May 2018.

As far as limitation of processing is concerned, the Garante highlights that under the Regulation the right has a different nature than that of the right to block the processing set forth by the Code. That is because the right to limitation can be exercised not only in cases of violation of the legal grounds for processing, but also with regards to requests of rectification or objection by the same data subject waiting for the data controller to evaluate a limitation application.

Moreover, the Garante also suggests that data controllers shall adopt specific measures for the “marking” of datasets subject to limitation of processing, either by means of electronic tools or not, in order to allow individuals to better exercise their rights.  

 Right to data portability 

As a general remark, the Garante highlights the need for data controllers to take into account the numerous orders through which it indicated the criteria for defining the balance of interests between data subjects’ rights and the rights of third parties.

To this extent, with specific regards to interoperability, particular reference shall be made to the provisions relevant to the processing of personal data in the banking sector and in the banking industry in general.

Controller, processor, person in charge of the processing

Data controllers should assess the existence of situations of joint controllership, in order to stipulate the internal agreement pursuant to Article 26.1 of the GDPR. In particular, it will be necessary to identify the “contact point” for data subjects.

Controller should also verify the consistency with Article 28.3 of their contracts or different typologies of binding legal acts with data Processors. In particular, focusing on clauses of sub-processing and on the possibility of drafting standard clauses to this end.

The Garante is working on the assessment of the current Codes of Conduct, while for the certification mechanisms it will be necessary the action of policymakers to set the actual modalities for the accreditation.

The Garante clarifies that the “person in charge of the processing” of Code perfectly fits the structure of the GDPR, in line with the accountability principle. Therefore, the authority suggests to maintain the use of appointing in writings as persons in charge of the processing, all the individuals processing personal data on behalf of the controller (or processor).

Risk-based approach and accountability principle 

With regard to the record of processing activities pursuant to Article 30 of the GDPR, the Garante underlines that it does not represent a mere formal obligation. On the contrary, it represents crucial part of a correct management of processing operations. The authority is considering the option of providing a fac-simile version on its website.

With regard to data breach notification, the Garante recommends to keep a record of “under threshold” data breaches, in line with the provision set forth by Article 33.5 of the GDPR.

International data transfer

The Garante underlines that in case of data transfer based on an adequacy decision or standard contractual clauses, under the GDPR it will not be necessary to ask for a “national authorization” as under the code. However, it also considers the fact that the list of requirements for the approval of the BCRs (Article 47.2 of the GDPR) is not a closed one and competent authorities may extend it if necessary.

photo credit: Floris M. Oosterveld Italian Flag via photopin (license)