Client Alert
Guide on the Application of the General Data Protection Regulation
May 22, 2017
Francesca Petronio & Marilena Hyeraci
On April 28, 2017, the Italian Data Protection Authority (“DPA”) published a first extensive Guide (“Guide”) on the application of the General Data Protection Regulation (“GDPR”).[1]
In particular, the DPA recalls the deadline of May 25, 2018 to implement the new provisions set forth by the GDPR, stresses the most relevant changes with respect to the previous privacy legislation pursuant to Legislative Decree n. 196 of 2003 (“Privacy Code”) and gives specific recommendations and suggestions that corporations should start carrying out, such as checking information notice, consent forms, and contracts.
The Guide is articulated in six areas.
I. Lawfulness of Processing
The DPA stresses that under the GDPR, the lawfulness of processing is based on the same elements set forth by the Privacy Code (such as consent, legitimate interest, and contractual obligations).[2]
With regard to sensitive data,[3] pursuant to the GDPR consent must be explicit.[4] While explaining that the term “explicit” does not necessarily refer to “written statements,” the DPA also recognizes that consents given by a written statement are a better indication of the data subject’s agreement to the processing of his personal data.
The Guide highlights that consents given before May 25, 2018 are lawful and valid only if they respect the requirements set forth by the GDPR; if this is not the case, the DPA recommends to gather consents again pursuant to the European rules.
II. Information
The Guide highlights that the information to be provided where personal data are collected from the data subject pursuant to the GDPR[5] are broader than those required by the Privacy Code.[6]
In particular, information notice includes the identity and contact details of the controller and the processor, as well as the period for which the personal data will be stored, or the criteria used to determine that period.[7]
The DPA stresses how—differently from the Privacy Code[8]—the GDPR provides that where personal data have not been obtained from the data subject, the controller shall provide the data subject with the required information within a reasonable period after obtaining the personal data (i.e., at the latest within one month, or at the time of the first communication to the data subject).[9]
Moreover, the GDPR provides for more detailed requirements concerning the measures that the controller has to take in order to provide the information that must be given in writing, or by other means, including by electronic means.[10]
The DPA recommends controllers to check—before May 25, 2018—the conformity of the information provided with the new requirements set forth by the GDPR with particular attention to their content and form.
III. Rights of the Data Subjects
The DPA provides a deep analysis of the most relevant innovations introduced by the GDPR with regard to rights of the data subjects and, particularly, the right of access,[11] the right to be forgotten,[12] the right to restriction of processing,[13] and the right to data portability.[14]
With regard to the modalities for the exercise of such rights,[15] the Guide stresses that the GDPR sets forth a time limit for the controller to provide information on the action taken on a request by the data subject (maximum a month, extensible to three months if the request is particularly complex). The controller shall give an answer to the data subject even when he does not take action on the request; information shall be provided in a concise, transparent, intelligible, and easily accessible form and it shall be provided in writing, unless the data subject requests it to be provided orally.
Information shall be provided free of charge, but the controller is allowed to charge a reasonable fee taking into account the complexity of the request where it is manifestly unfounded or excessive, or if the data subject requires more copies.[16]
The DPA recommends immediately implementing technical and organizational measures suitable to facilitate the exercise of data subjects’ rights and anticipates that it is planning on issuing guidelines on this specific issue.
IV. Controller/Processor
The Guide highlights the many innovations introduced by the GDPR regarding controllers and processors.
First of all, the GDPR regulates the case of joint control, i.e. when two or more controllers jointly determine the purposes and means of processing; in such cases, controllers must determine in a transparent manner their respective responsibilities, with particular attention to the exercise of data subjects’ rights.[17]
Secondly, it sets forth specific requirements for the designation of processors by providing that it shall be based on a contract or other legal act, binding on the processor; such contract or legal act shall contain specific information such as the nature, duration, and purpose of the processing, the type of data involved, and the appropriate technical and organizational measures in order to carry out activities given by the controllers and assure compliance with the GDPR.[18]
The Guide stresses that the GDPR also provides for precise obligations for controllers, such as those concerning the records of processing activities, the adoption of technical and organizational measures in order to ensure the security of processing, as well as those regarding the designation of a data protection officer.
The DPA recommends controllers to check existing contracts/legal acts and to verify the existence of situations of joint control in order to define the respective responsibilities.
The Guide also clarifies that the provisions set forth by the Privacy Code with regard to persons in charge of processing remain in force as long as they comply with those set forth by the GDPR[19] and recommends controllers and processors to maintain designation processes and organizational structures in line with the national legislation.
The DPA reports that the European Commission is working together with national authorities in order to set forth standard contractual clauses to use in contracts with processors and that the DPA is analyzing the codes of conduct currently in force.
With regard to certification mechanisms, the DPA notes that it is up to the national legislator to establish the requirements for certification bodies’ accreditation. It also recalls that the Article 29 Working Party[20] is working on such matters.
V. Accountability of Controllers and Processors
The Guide notes that one of the most relevant innovations introduced by the GDPR is the “accountability” of controllers/processors, consisting of the adoption of behaviors aimed at showing the concrete adoption of measures in compliance with the GDPR.
The DPA reminds that controllers shall autonomously define modalities, limits, and warranties of data processing in compliance with the rules set forth by the European legislator.
The first criterion is the principle of “data protection by design:” controllers shall carry out an analysis aimed at defining ex ante the processing operations which will be implemented and in designing the necessary warranties in order to protect data subjects’ rights.[21] The second criterion is based on the “data protection impact assessment” that consists of an evaluation of the risks that the envisaged processing operations poses to the rights and freedoms of data subjects, taking into account the measures that controllers intend to implement in order to reduce such risks. [22] In this respect, the DPA makes reference to the guidelines issued by the Article 29 Working Party. [23]
Moreover, the Guide underlines the innovations concerning the records of processing activities[24] that must be in writing, including electronic form. Such record plays a fundamental role in the lawful processing of personal data, the Guide suggesting its adoption to all controllers/processors. Additionally, the DPA discloses that it is currently working on making available on its website a model of record in order to ease controllers in its implementation.
The DPA also stresses that pursuant to the GDPR, controllers/processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; thus, after May 25, 2018, security of processing will not be regulated by the general minimum obligations set forth by the Privacy Code,[25] but by specific and detailed rules. For some categories of processing, the DPA highlights that security measures currently implemented will remain valid if based on specific rules and also underlines the chance to adopt specific codes of conduct or certification mechanism in order to demonstrate the required warranties.
With regard to the obligation to notify data breaches,[26] the DPA clarifies that the notification to the competent authority is not mandatory, but is subject to an assessment of the risk to the rights and freedoms of data subjects. The DPA also recommends controllers to adopt all suitable measures in order to document all data privacy violations, as, upon request, they have the duty to supply the competent authority with the necessary documentation.
VI. Transfer of Personal Data to Third Countries or International Organizations
The DPA highlights that pursuant to the GDPR, transfer of personal data to extra European countries does not require any specific national authorization when there is a decision of adequacy issued by the European Commission or it is carried out with the specific procedures set forth by the GDPR (such as standard contractual clauses or binding corporate rules). The requirement of a national authorization remains in force where the data transfer is based on ad hoc contractual clauses or on administrative agreements between public authorities or bodies. The GDPR also recognizes the possibility that transfers of data be based on codes of conducts or certification mechanisms in order to prove the appropriate safeguards.[27]
The DPA also clarifies that decisions of adequacy adopted by the European Commission (including the Privacy Shield and standard contractual clauses), as well as international agreements concerning the transfer of personal data concluded by Member States before May 24, 2016 remain in force until amended, replaced, or repealed.
VII. Conclusions
With the Guide, the DPA provides controllers and processors with a first set of important guidelines concerning some key aspects of the new privacy system and discloses its intention to issue further guidelines and models.
In particular, the DPA recommends controllers to start checking the compliance of their system with the requirements set forth by the GDPR before May 25, 2018, in order to timely adopt the necessary changes.
[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[2]Article 6 GDPR.
[3]“Sensitive data” are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person as well as data concerning health or a natural person’s sex life or sexual orientation (Article 9 GDPR).
[4]Article 9 GDPR.
[5]Article 13 GDPR.
[6]Article 13 Privacy Code.
[7]The detailed list of the requirements is set forth by Article 13 GDPR.
[8]Article 13, paragraph 4 Privacy Code.
[9]Article 14 GDPR.
[10]Article 12 GDPR.
[11]Article 15 GDPR.
[12]Article 17 GDPR.
[13]Article 18 GDPR.
[14]Article 20 GDPR.
[15]Article 12 GDPR.
[16]Articles 12 and 15 GDPR.
[17]Article 26 GDPR.
[18]Article 28 GDPR.
[19]Article 30 Privacy Code.
[20]Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.
[21]Article 25 GDPR.
[22]Articles 35 and 36 GDPR.
[23]The guidelines were published on April 4, 2017 and are available at the following link: http://ec.europa.eu/justice/data-protection/index_en.htm.
[24]Article 30 GDPR.
[25]Articles 33-36 Privacy Code.
[26]Data breaches shall be announced within 72 hours without undue delay, especially when controllers consider that the data breach could result in risk to the rights and freedoms of data subjects (Article 33 GDPR).
[27]Articles 44-50 GDPR.