Guide on the Application of the General Data Protection Regulation
On April 28, 2017, the Italian Data Protection Authority (“DPA”) published a first extensive Guide (“Guide”) on the application of the General Data Protection Regulation (“GDPR”).
In particular, the DPA recalls the deadline of May 25, 2018 to implement the new provisions set forth by the GDPR, stresses the most relevant changes with respect to the previous privacy legislation pursuant to Legislative Decree n. 196 of 2003 (“Privacy Code”) and gives specific recommendations and suggestions that corporations should start carrying out, such as checking information notice, consent forms, and contracts.
The Guide is articulated in six areas.
I. Lawfulness of Processing
The DPA stresses that under the GDPR, the lawfulness of processing is based on the same elements set forth by the Privacy Code (such as consent, legitimate interest, and contractual obligations).
With regard to sensitive data,
The Guide highlights that consents given before May 25, 2018 are lawful and valid only if they respect the requirements set forth by the GDPR; if this is not the case, the DPA recommends to gather consents again pursuant to the European rules.
In particular, information notice includes the identity and contact details of the controller and the processor, as well as the period for which the personal data will be stored, or the criteria used to determine that period.
The DPA stresses how—differently from the Privacy Code
Moreover, the GDPR provides for more detailed requirements concerning the measures that the controller has to take in order to provide the information that must be given in writing, or by other means, including by electronic means.
The DPA recommends controllers to check—before May 25, 2018—the conformity of the information provided with the new requirements set forth by the GDPR with particular attention to their content and form.
III. Rights of the Data Subjects
The DPA provides a deep analysis of the most relevant innovations introduced by the GDPR with regard to rights of the data subjects and, particularly, the right of access,
With regard to the modalities for the exercise of such rights,
Information shall be provided free of charge, but the controller is allowed to charge a reasonable fee taking into account the complexity of the request where it is manifestly unfounded or excessive, or if the data subject requires more copies.
The DPA recommends immediately implementing technical and organizational measures suitable to facilitate the exercise of data subjects’ rights and anticipates that it is planning on issuing guidelines on this specific issue.
The Guide highlights the many innovations introduced by the GDPR regarding controllers and processors.
First of all, the GDPR regulates the case of joint control, i.e. when two or more controllers jointly determine the purposes and means of processing; in such cases, controllers must determine in a transparent manner their respective responsibilities, with particular attention to the exercise of data subjects’ rights.
Secondly, it sets forth specific requirements for the designation of processors by providing that it shall be based on a contract or other legal act, binding on the processor; such contract or legal act shall contain specific information such as the nature, duration, and purpose of the processing, the type of data involved, and the appropriate technical and organizational measures in order to carry out activities given by the controllers and assure compliance with the GDPR.
The Guide stresses that the GDPR also provides for precise obligations for controllers, such as those concerning the records of processing activities, the adoption of technical and organizational measures in order to ensure the security of processing, as well as those regarding the designation of a data protection officer.
The DPA recommends controllers to check existing contracts/legal acts and to verify the existence of situations of joint control in order to define the respective responsibilities.
The Guide also clarifies that the provisions set forth by the Privacy Code with regard to persons in charge of processing remain in force as long as they comply with those set forth by the GDPR
The DPA reports that the European Commission is working together with national authorities in order to set forth standard contractual clauses to use in contracts with processors and that the DPA is analyzing the codes of conduct currently in force.
With regard to certification mechanisms, the DPA notes that it is up to the national legislator to establish the requirements for certification bodies’ accreditation. It also recalls that the Article 29 Working Party
V. Accountability of Controllers and Processors
The Guide notes that one of the most relevant innovations introduced by the GDPR is the “accountability” of controllers/processors, consisting of the adoption of behaviors aimed at showing the concrete adoption of measures in compliance with the GDPR.
The DPA reminds that controllers shall autonomously define modalities, limits, and warranties of data processing in compliance with the rules set forth by the European legislator.
The first criterion is the principle of “data protection by design:” controllers shall carry out an analysis aimed at defining ex ante the processing operations which will be implemented and in designing the necessary warranties in order to protect data subjects’ rights.
Moreover, the Guide underlines the innovations concerning the records of processing activities
The DPA also stresses that pursuant to the GDPR, controllers/processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; thus, after May 25, 2018, security of processing will not be regulated by the general minimum obligations set forth by the Privacy Code,
With regard to the obligation to notify data breaches,
VI. Transfer of Personal Data to Third Countries or International Organizations
The DPA highlights that pursuant to the GDPR, transfer of personal data to extra European countries does not require any specific national authorization when there is a decision of adequacy issued by the European Commission or it is carried out with the specific procedures set forth by the GDPR (such as standard contractual clauses or binding corporate rules). The requirement of a national authorization remains in force where the data transfer is based on ad hoc contractual clauses or on administrative agreements between public authorities or bodies. The GDPR also recognizes the possibility that transfers of data be based on codes of conducts or certification mechanisms in order to prove the appropriate safeguards.
The DPA also clarifies that decisions of adequacy adopted by the European Commission (including the Privacy Shield and standard contractual clauses), as well as international agreements concerning the transfer of personal data concluded by Member States before May 24, 2016 remain in force until amended, replaced, or repealed.
With the Guide, the DPA provides controllers and processors with a first set of important guidelines concerning some key aspects of the new privacy system and discloses its intention to issue further guidelines and models.
In particular, the DPA recommends controllers to start checking the compliance of their system with the requirements set forth by the GDPR before May 25, 2018, in order to timely adopt the necessary changes.
Articles 35 and 36 GDPR.