Greetings from Brussels,
Things are relatively quiet on the news front in Europe this week, which is not unimaginable taken we are in the throes of August. That said, news this week was brought to my attention by IAPP Board Member and Country Leader for Italy Rocco Panetta involving regulatory developments in Italy.
As communicated, Italy's data protection authority, the Garante, is one of the first European regulators to announce an approved Inspection Plan for the second semester of this year following the entry into force of the EU General Data Protection Regulation. Essentially, the Garante intends to center its inspections around large-scale data processing by companies and national public administration entities. In addition to this, the regulator will initially focus on two specific industries: banking and telemarketing. There will be a special emphasis on data protection measures in place, and in particular, data breach reporting provisions.
Interestingly, the inspections will also be carried out in cooperation with the Guardia di Finanza's special protection unit for privacy and online fraud. If you know anything about the Guardia di Finanza, you know it has a reputation for expertise in monitoring and enforcement activity. Speaking with some Italian professionals here in Brussels, I am told they are not shy, and the term "business friendly" does not necessarily spring to mind to describe them. Consequently, this reinforced collaboration with the Garante should demonstrate how serious the Italian authorities are looking to enforce the GDPR.
In more detail, the intended inspection checks for the remainder of 2018 into 2019 will focus on organizational compliance with disclosure obligations, the acquisition of consent, data retention policies and their related security measures. Moreover, the monitoring will also consider compliance with the maintenance of data processing registers, impact assessments undertaken and the designation of the DPO as mandated. The inspection activity will also cover investigations initiated by citizens, with particular attention to the most serious violations.
On assessment of the first six months of 2018, the Garante collected 4.5 million euros worth of penalties. This is a 162 percent increase over the same period last year. It has been active, and unsurprisingly, disputed claims have also risen sharply over the same period, which will surely keep the Garante’s legal services busy.
The Garante has also issued its first compliance resolution under the GDPR, imposing privacy by design and by default obligations on GPS service providers following an investigation into corporate car fleets in Italy.
Panetta expressed his satisfaction that the Garante is well on track with the GDPR, adding: “The Italian authority has always been a pioneer in privacy and data protection under the past leadership of Prof. [Stefano] Rodotà and European Data Protection Supervisor Giovanni Buttarelli, and this legacy will continue under Mr. [Antonello] Soro, the current chairman, and his deputy Ms. [Augusta] Iannini.” Panetta went on to say that the Garante has historically sought to use its inspection powers to “understand, interpret and rule” in function of the market reality, while balancing the need to actively counter a non-compliance mindset. More specifically, and in relation to the recent GPS ruling, Panetta stated he would welcome the views of the EDPB and other DPAs. The Italian case, while national in context, is one which may bear ripple effects in that the GDPR principles and ruling as set by the Garante could affect GPS services across the EU and beyond in what concerns cross-border processing.
Having also officially transposed the GDPR into Italian law this week, Italy is certainly purring through the gears, like a ‘Scuderia’ with intent.
If you want to comment on this post, you need to login.