Privacy has belonged to the common lexicon for decades, but it has only been a year since citizens and consumAtors were finally put in a position to unsubscribe from databases and newsletters. What happened? In just a few months, the GDPR regulation has proven to be one of the most effective pieces of legislation in the history of united Europe. ABC to follow.
#GDPR, the fortress of
privacy
The ‘
General Data Protection Regulation
‘ (GDPR) which concerns the ‘protection of individuals with regard to the processing and free movement of personal data‘, has drastically reformed the regulation of privacy. (1) With effect from 25.5.18 – the date of its application in the entire Internal Market – which was followed by the adaptation of the Italian Data Protection Code. (2)
The protection of personal data and privacy finds further and specific declination, in the GDPR, through express recognition of the following rights:
– oblivion. The possibility of requesting the permanent deletion of one’s personal data at any time must be guaranteed,
– portability. A data subject has the right to obtain personal data concerning him or her that has already been provided to an operator so that it can be reused for other purposes, (3)
– opposition. The data subject always has the option to object to the processing of his or her personal data.
GDPR, the duties of operators
All operators to whom a range of activities-collection, recording, storage, dissemination, modification, deletion, and destruction of personal data-are attributable must adopt appropriate procedures. More specifically, they must be able to demonstrate that they have taken effective technical and organizational measures to ensure the fairness of the processing of each news item.
In each organization, the individuals who are required to deal with data processing are the Data Controller, theData Processor, the Data Protection Officer (DPO), and the Data Subject. To each their own functions, competencies and responsibilities, as described in the GDPR. The real novelty is the DPO who can be designated to provide support and verification, consultations, and disclosures, including in default liaison with the Garante authority.
A document of ‘
accountability’
is necessary to analyze the risks on the management of the data processed, as well as to define the procedures and measures that should be observed and supervised, within the organization, to mitigate these risks.
More complex organizations, under certain circumstances, have a duty to document their organization’s compliance with the requirements of the law on a special register, which may be reviewed by the Supervisor.
GDPR, controls and penalties
The Guarantor for
Privacy
delegates inspections to the Guardia di Finanza in order to check that companies comply with the rules established by the GDPR. Law enforcement officers are required to verify, in particular, the practical adequacy of the accountability document with respect to the need to prevent the risks of mishandling individual information.
The sanctions are draconian. The GDPR introduced administrative fines of up to 20 million euros or 4 percent of corporate turnover.
Legislative Decree. n. 101/2018 in turn updated the criminal penalties, in relation to the following offenses:
– Unlawful processing of personal data,
– Fraudulent acquisition of personal data,
– Unlawful communication and dissemination of personal data,
– false statements to the Guarantor,
– Failure to comply with the orders of the Guarantor.
Fabio Zaninetti and Dario Dongo
Notes
(1) See reg. EU no. 679/16
(2) See d.lgs. 101/2018, amending legislative decree 196/03
Lawyer specializing in labor law, human resource enhancement policies, privacy regulations. He collaborated for 14 years with the Institute of Private Law of the Università Statale degli Studi di Milano.
Dario Dongo, lawyer and journalist, PhD in international food law, founder of WIISE (FARE - GIFT - Food Times) and Égalité.
