On 19th September 2018 Legislative Decree n° 101 of 10th August 2018 came into force to adjust the Italian personal data protection code (Legislative Decree no. 196 of 30th June 2003) to the provisions of (EU) Regulation 2016/679.
The Supervisory Authority makes the text of the Code regulated by law available on its institutional web site.
The general part of the Italian Privacy Code is almost entirely replaced bi the provisions of the Regulation, so that the previously valid rules on the principles, legal basis of the processing, information and consent are now repealed and replaced by those of the European Regulation.
With regard to the special part of the text, the main novelties are listed below:
Legislative Decree 101/2018 states that the notice under art. 13 GDPR is to be given on the “first suitable occasion” after the sending of the curriculum vitae. Within the limits of the purposes described in article 6 par. 1) letter b) of GDPR, the consent of the applicant to the processing of personal data contained in the curriculum is not required.
The provisions of Article 4 of the Workers’ Statute (as amended in 2015 by the Jobs Act) shall be expressly without prejudice and the penalty pursuant to Article 38 of Law 300/1970 is also confirmed for cases of violation of paragraph 1 of Article 4 of the Workers’ Statute.
The reform protecting the SME included in the new art. 154-bis, par. 4 of the Privacy Code (and introduced by Legislative decree 101/2018) is especially important, as it states that, with regard to micro and small and medium enterprises, given the simplification requirements, the Supervisory Authority shall include simplified ways to comply with the obligations of the data controller in its guidelines.
With regard to the direct offer of “services of the information company”, consent can be given by minors upon reaching 14 years of age. Below this limit consent shall be given by the adult who exercises parental responsibility.
Lawmakers decided to guarantee continuity by accepting the provisions of the Supervisory Authority on a provisional basis, to be reviewed later on. The Supervisory Authority, with a general provision to be discussed and published within ninety days from the coming into force of the decree, shall identify the provisions contained in the general authorisations that are compatible with the provisions of the GDPR and of legislative decree 101/2018 and, if necessary, shall update them.
The general authorisations thus audited that are considered incompatible with the GDPR shall cease to be effective.
The Supervisory Authority is also required to promote the issue of codes of ethics dealing with the processing of personal data in some sectors (work, journalism, statistics and scientific research), involving the interested parties and making a public consultation.
The Italian lawmakers decided to introduce penalties, as allowed by the GDPR with regard to all Member Countries, for some violations of the privacy laws; such penalties are to be added to the severe administrative sanctions established in the Regulation (up to 20 million Euro or 4% of the gross annual world turnover). The penalties punish:
In the presence of an especially wide-ranging and strict system of administrative sanctions, characterised by a strong deterrence, some early commentators highlighted a possible violation of the “ne bis in idem” prohibition, in respect of some behaviours.
The rule dealing with personal data of deceased persons is worth mentioning here.
The rights under articles 15 to 22 of the GDPR concerning the personal data of deceased persons can be exercised by subjects holding a personal interest or acting to protect the interested party as an agent or for family reasons worth protecting.
The exercise of the abovementioned rights is not allowed when it is prohibited by law, or when – limited to the “direct offer of services of the information company” – the data subject expressly forbade it with a written and unequivocal statement.
This prohibition cannot however produce effects that penalise the exercise by third parties of the rights of property derived from the death of the data subject or the right to defend one’s own interests in court.