Focus on: Compliance on Data Protection in Italy

De Luca & Partners

View firm profile


Last 25 May 2018, Regulation (EU) 2016/679, so called the “GDPR” (General Data Protection Regulation) – on the protection of natural persons (data subjects) with respect to the processing and transfer of personal data – became completely applicable in all EU Member States.

As an EU regulation, the GDPR is a provision to be directly applied in its entirety throughout the EU territory and, as clarified by the European Commission, originates from the desire, and the need, to harmonise and simplify the rules on the processing and transfer of personal data of natural persons, providing both Data Controllers (and Processors) and data subjects with legal certainty.

However, it would be a mistake not to consider legislation and peculiarities of each Member State in which the GDPR is applicable. Indeed, the principles and provisions provided for by the GDPR must be applied taking into account the implementation rules of each Member State, making for each case a local adaptation of the compliance obligations.

Specifically, for example, to adapt national law to the new regulation, the Italian law maker adopted Legislative Decree no. 101/2018 of August 10, 2018, adapting the GDPR to the relevant national legislation, represented by Legislative Decree no. 196/2003 (the Privacy Code, and together with the GDPR, the Data Protection Law).

The Data Protection and the employer-employee relationship

With respect to the above, Article 88 of the GDPR provides that each Member State may lay down more specific rules by law and national collective bargaining agreements (NCBA) to ensure the protection of the rights and freedoms regarding the processing of employees’ personal data in the employment relationships.

The above, for instance, allows a continuity in terms of individual and trade union protection and prerogatives, as provided for by Italian law, in primis by the “Statuto dei Lavoratori” (Law no. 300 of May 20, 1970, the Statute).

As a matter of fact, by means of Article 4, the Statute preserves the confidentiality of employees, defining the cases in which audio-visual equipment or other instruments from which the possibility of a remote control of employees’ activities may derive, even only potentially. The same Article 4 requires the employer to provide workers with adequate information on how to use the tools submitted and requires a full compliance with the Data Protection law by referring directly to the provisions of the Italian Privacy Code.

Under Italian Law, the employees’ control is not limited to the “workplace” concept, eg, where it could be implemented through the installation of a video surveillance system (comp. “Video-surveillance Provision” – April 8, 2010 [doc. web. 1712680] and (ii) European Data Protection Board – EDPB, “Guidelines no. 3/2019 on processing of personal data through video devices”) but also extends to devices, apps and generally tools used to perform the employment services. In this respect, before the application of the GDPR the Italian Data Protection Authority has issued “Guidelines for the use of Internet and e-mail in public and private workplaces” [doc. web. 1387522] which clearly define the limits between legal and illegal controls.

Please note that this is only an example of how a correct and compliant application of the provisions of the EU Regulation should be implemented considering local legislation.

In compliance with both the Statute and the Data Protection Law (comp. Article 25(1) of the GDPR), the employer must implement measures to protect employees’ personal data “from the design” of the processing (privacy by design) and by default (privacy by default), in compliance with the “accountability principle”. And compliance with the principle of accountability also means adapting to local regulations.

The 5 most common underestimate tasks in the application of the GDPR in Italy

Based on the experience of our GDPR Team, corporations more often fail to comply with the EU and mentioned Italian provisions in particular in the following 5 cases.

(i) Adoption of security measures and policies – As recently reported by the Italian Data Protection Authority during the presentation of the Report on the activities carried out during the past year, held on June 2, 2021: “2020 was characterised, at global level, by the negative record of cyber-attacks, facilitated by the increased use of telematic channels as a result of the pandemic and which, a few weeks ago, became real hostile acts in the context of the conflict for the cyber domain”.

The high number of cyber-attacks and personal data breaches have undoubtedly raised the awareness of both Data Controllers (and Processors) and data subjects about the importance of the issue, but on the other hand they have revealed a low level of compliance by the actors involved, which goes through the importance of adopting security measures, policies and tools that help prevent them.

Specifically, the adoption of internal policies is one of the tasks that is too often underestimated.

(ii) Appointments – Adopting internal policies that regulate the security of the information processed and define roles and responsibilities is a tool that not only serves to ensure the compliance of the organisation with the applicable Data Protection Law but also reduces the risk of any damage that may directly affect the business of the Company. The internal policies and procedures to be adopted must be tailored for each case based on the characteristics and risks that each situation presents and must comply with any additional procedures already applied by the company. For economic reasons or due to a lack of consciousness, it often happens that to comply with the obligations deriving from the applicable law, standardised internal policies or procedures are adopted which, in fact, are not suitable for the organisation adopting them.

(iii) Training – Once policies and procedures have been adopted, training and awareness-raising of staff on the correct application of these policies and procedures is essential. Systematically educating and updating who must daily apply it contributes to reducing the risks to which the Data Controllers or Processors are exposed.

Defining roles and responsibilities, also through the adoption of internal procedures and policies, makes it possible, among other things, to meet another requirement that is often underestimated by both Data Controllers and Processors and which concerns the “Records of processing activities”.

(iv) Monitoring – Introducing monitoring plans that take the form of continuous verification of the actions taken by the Data Controller to ensure compliance with the Data Protection Law, as well as the effective implementation and compliance with policies, procedures, organisational and security measures, is one of the tools aimed at ensuring full compliance with the so-called accountability principle that requires the Data Controller to proceed with the identification and management of risks relating to the processing operations carried out.

(v) Continuous updating processes – It is frequent to find Records adopted in order to comply with the GDPR but which are never reviewed and updated and which often no longer correspond to the actual reality to which they refer, which has changed and evolved in the meantime.

With respect to the aforementioned, since the entry into force of the GDPR, the Data Protection Law has certainly represented an interesting challenge for Europe, for the recipients of what is prescribed in the Regulation and for the subjects that it wants to protect. A challenge which, in view of a constantly evolving scenario, does not seem destined to end and which, although with common objectives, the legislators and the Authorities of each Member State will have to continue to meet.