This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in Italy.
Please provide an overview of the legal and regulatory framework governing data protection and privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws). Are there any expected changes in the data protection and privacy law landscape in 2022-2023 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
The European regulatory framework on privacy and personal data protection is mainly composed of the following regulations: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, also known as the “General Data Protection Regulation” or “GDPR”; Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002, also known as the “e-Privacy Directive”; the national regulation implementing the GDPR and the e-Privacy Directive, i.e. the Legislative Decree 196/2003, so called “Privacy Code”, as amended by Legislative Decree No. 101/2018 and, most recently, by D.L. 139/2021, converted, with amendments, by L. 205/2021 and D.L. 132/2021, converted, with amendments, by L. 178/2021; Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, also known as the “Police Directive”; the national regulation implementing the Police Directive, i.e. Legislative Decree No. 51/2018. These regulatory sources fall within the context of the fundamental regulatory international and European Union (see, for example, art. 8 ECHR; art. 7 and 8 of the Charter of Fundamental Rights of the European Union; Art. 16.1 TFEU).
There do not appear to be any substantial changes in the regulatory framework regarding data protection and privacy in the coming years, apart from what was stated in the answer to question no. 40 and other minor regulatory interventions, such as, for example, the issuing by the Garante Privacy according to art. 2-septies Privacy Code of a regulation containing more detailed safeguards regarding genetic, biometric and health-related data as well as the issuing by the Ministry of Justice, according to art. 2-octies of the Privacy Code, of a regulation regarding the processing of data relating to criminal convictions and offences.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
There are no registration mechanisms or licensing requirements for entities covered by data protection and privacy laws, as the matter is governed by the general principle of accountability, which, on the other hand, involves data controllers with considerable operational and organizational autonomy.
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
According to art. 4.1 GDPR, personal data refers to “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. The special categories of data are those identified by art. 9.1 GDPR and, precisely, “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. The legislation also contemplates, in art. 10 GDPR, the category of personal data relating to criminal convictions and offences.
What are the principles related to, the general processing of personal data or PII – for example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
The general principles applicable to the processing of personal data are as follows:
principle of lawfulness (art. 5.1.a) GDPR), whereby processing data must be founded on the basis of appropriate legal bases;
principle of fairness (art. 5.1.a) GDPR), whereby the processing of personal data must be based on the principles of honesty and good faith;
principle of transparency (articles 5.1.a), 12, 13 and 14 GDPR), according to which it must be ensured that data subjects are previously and adequately informed about the data processing activities carried out;
principle of purpose limitation (art. 5.1.b) GDPR), whereby the purposes of data processing actually pursued must be legitimate, specified and explicit;
principle of minimization (art. 5.1.c) GDPR), whereby the data processed must be exclusively those strictly limited and necessary to the achievement of the purposes;
principle of accuracy (art. 5.1.d) GDPR), whereby the data must be accurate and, if necessary, updated;
principle of storage limitation (art. 5.1.e) GDPR), whereby the period of storage of personal data must not exceed that which is strictly necessary for the pursuit of the purposes;
principles of integrity and confidentiality (articles 5.1.f) and 32 GDPR), for which it is necessary to take appropriate security measures to preserve the data from certain events including unauthorized access and use.
principle of accountability (art. 5.2 GDPR), for which the data controller must ensure compliance with these principles and be able to demonstrate it.
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
Yes. Consent is required in certain cases typified by law (e.g., in the case of direct marketing carried out using automated contact tools ex art. 130.1 and 130.2 Privacy Code) as well as in other cases provided for by the Garante Privacy in its pronouncements.
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
According to art. 4.11 GDPR, in order to be valid, consent must be freely given, it must be specific, informed and unambiguous, as well as explicit, with regard to the processing of special data, according to art. 9.1 GDPR.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
As a rule, the processing of special categories of data is prohibited pursuant to art. 9.1 GDPR; however, this prohibition is not applicable in the cases referred to in art. 9.2 GDPR. According to art. 9.4 GDPR, Member States may introduce further conditions to protect the processing of genetic, biometric or health-related data (see art. 2-septies Privacy Code). There are not categories of personal data or PII that are absolutely prohibited from collection.
How do the laws in your jurisdiction address children’s personal data or PII?
In general, the GDPR gives minors specific protection in relation to their personal data, in particular, with regard to the use of data for marketing and profiling purposes and to the collection of data when using services provided directly to the minor. The GDPR also provides that the information provided to the minor must be simple, clear and easily understandable. With specific regard to the direct offer of information society services, minors who are at least 14 years old may lawfully give consent – if provided; on the other hand, if the minor is under 14 years old, for the purposes of lawful data processing, consent must be given by the holder of parental responsibility (articles 8 GDPR and 2-quinquies Privacy Code).
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
There are no exceptions, exclusions or limitations beyond what has already been noted in the answer to question 8.
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The principle of data protection by design is provided for in art. 25.1 GDPR. According to this provision, the data controller must take into account compliance with the regulatory obligations on the protection of personal data from the design stages of the initiatives that will involve data processing, in order to ensure that the development of these initiatives can progressively proceed in accordance with the principles applicable to data processing.
The principle of data protection by default is provided for in art. 25.2 GDPR. According to this provision, data controllers are responsible for carefully verifying specific parameters – such as the amount of personal data collected, the scope of processing, the storage period and the accessibility of such data – and consequently implementing appropriate technical and organizational measures so that the personal data processed by default are only those necessary for the specific processing purposes pursued, ensuring in particular that processed personal data are not made accessible to an indefinite number of natural persons without the prior intervention of the natural person concerned.
An effective tool for implementing the above principles typically used by companies is the DPIA in accordance with art. 35 GDPR, even where the same is not strictly necessary but only appropriate.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
By virtue of the principle of accountability pursuant to art. 5.2 GDPR, the data controller is obliged to report and document, also and above all through written documentazion, its compliance with the regulations on the processing of personal data. In addition to the DPIA mentioned above, important documentary reporting tools are the legitimate interest assessment (“LIA”) under art. 6.1.f) GDPR – a document certifying the prevalence of the legitimate interest invoked in support of a processing compared to the rights and freedoms of data subjects – and the register of processings under art. 30 GDPR – as a tool to provide an updated overview of processings in place within the organization.
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
According to art. 5.1.e) GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89.1 subject to implementation of the appropriate technical and organizational measures required by GDPR in order to safeguard the rights and freedoms of the data subject. By virtue of the principle of accountability, it is advisable to define data retention policies and procedures in which to specify the methodological principles that the data controller uses to identify the terms and criteria for the retention of personal data, providing, if necessary, a list of the terms and criteria thus identified.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
The preliminary consultation of the supervisory authority is necessary where a data protection impact assessment under art. 35 GDPR indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
On the other hand, the data protection officer is allowed by the GDPR to consult on any matter relating to the processing of personal data (art. 38.1.e) GDPR).
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
The GDPR requires data controllers to adopt, also in accordance with the principle of accountability, technical and organizational security measures appropriate to the risks that data processing entails. In this sense, data controllers are required to carry out both, across the board, risk analysis with respect to all processing activities carried out and, in the cases referred to in art. 35 GDPR, more specific data protection impact assessments (also known as DPIA). Risk assessment activities have to be carried out through methodologies deriving from international standards such as ISO 27005 and ISO 31000, assessing the likelihood and the impact of the risk that may arise.
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
The appointment of a data protection officer (“DPO”) is mandatory in the cases referred to in articles 37.1 GDPR and 2-sexiesdecies Privacy Code. This is a figure specialized in the protection of personal data and characterized by requirements of functional independence and evaluation. The DPO is charged with at least the following tasks: (i) advising, training and raising awareness in favor of the owner/manager who designated him/her as well as monitoring compliance with data protection legislation; (ii) contact point for the supervisory authority; (iii) contact point for data subjects, who may contact him/her for all matters relating to the processing of their personal data and the exercise of their rights under articles 15-22 GDPR.
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
Training is a fundamental organizational security measure that the data controller, in implementation of the accountability principle established by art. 5.2 GDPR, must provide for in its own privacy organizational model (articles 29 and 32.4 GDPR). It is therefore advisable to provide for a training program for persons authorized to process data both when they are hired and during their working activity, at least once a year, with documentary evidence of course attendance.
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (e.g., are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
Compared to the data controllers, who are the main parties responsible for the administrative responsibilities deriving from the violation of the regulations on the protection of personal data, the data processors are usually responsible from an administrative point of view for the technical and organizational aspects of the processing activities carried out. The obligations of data controllers are set out in the relevant regulatory framework (see in particular articles 28, 32 and 83 GDPR) and subsequently reproduced in the agreements that data controllers and data processors are required to stipulate pursuant to art. 28 GDPR.
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
The essential content requirements of the agreements governing the relationship between data controllers and data processors are expressly provided for in art. 28 GDPR. The obligation to carry out audits, due diligence and privacy and security assessments is incumbent on data controllers as a result of the general principle of accountability under art. 5.2 GDPR, which in turn is related to a number of more punctual and specific provisions. Therefore, it is recommended to carry out second party audit in order to assess the security and data protection posture of the supply chain.
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
The legislation recognizes the general right of data subjects not to be subjected to decisions based solely on automated processing activities, including profiling (art. 22 GDPR). This right corresponds to the obligation of data controllers to prevent such decision-making processes, unless the same is necessary for the conclusion or performance of a contract between the data subject and a data controller; it is not authorized by the law of the Union or of the Member State to which the data controller is subject; the explicit consent of the data subject is not acquired. In any case, where the automated decision-making process relates to special categories of data, the owner is allowed to carry out the processing only if the conditions referred to in art. 9.1.a) and g) GDPR and are in place appropriate measures to protect data subjects. In any case, there is an obligation to take appropriate technical and organizational measures in order to ensure the right of the data subjects to obtain the intervention of human operators as well as the right to express their opinion and challenge the decision.
Please describe any restrictions on cross-contextual behavioral advertising. How is this term or related terms defined?
Please describe any laws in your jurisdiction addressing the sale of personal information. How is “sale” or related terms defined and what restrictions are imposed, if any?
The transfer of personal data, especially for commercial purposes, is regulated by the indications coming from the Privacy Guarantor and contained within its measures, both those of a general nature (Guidelines on Marketing and against Spam – July 4, 2013), and other specific measures which, however, contain important clarifications regarding the requirements related to this processing activity (for example, among the most recent, Ordinanza di ingiunzione nei confronti di Enel Energia S.p.a. – December 16, 2021; Ordinanza di ingiunzione nei confronti di Sky Italia S.r.l. – September 16, 2021).
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
The matter is mainly governed by the provisions of the Privacy Code that implement Directive 2002/58/EC, the so-called “e-Privacy Directive”, as well as more generally by the rules of principle contained in the GDPR. Among the provisions mentioned, it is important to highlight art. 130, which requires data controllers to request the prior consent of those concerned with regard to the use of automated means of contact (mainly, telephone without an operator, e-mail, SMS, MMS) and the obligation to comply with articles 6 and 7 GDPR as regards the use of non-automated means of contact (telephone with operator and paper mail). There are exceptions to the consent requirement (e.g., in the case of soft spam pursuant to art. 130.4 Privacy Code).
It should be added that certain profiles of the matter are also regulated by further and specific regulations, including, for example, L. 5/2018, containing provisions regarding the registration and operation of the opposition register.
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
The processing of biometric data is governed by the GDPR, which includes such data within the special categories referred to in art. 9, thus subjecting them to a stricter and more stringent processing regime than that to which common data are subject. The matter is further regulated by the Privacy Code, which assigns to the Garante Privacy the task of introducing further provisions containing guarantee measures (art. 2-septies Privacy Code). The processing of biometric data is also regulated by the indications of the EDPB contained in its opinions (see in particular its Guidelines 3/2019 on processing of personal data through video devices).
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
Within the framework of national and European law, the transfer of personal data to third countries not belonging to the European Economic Area (“EEA”) is permitted provided that the adequacy of the third country is recognized by a specific decision of the European Commission (art. 45 GDPR). In the absence of such a decision, the transfer outside the EEA must be subject to the following twofold condition: the finding of a substantial equivalence of the third country in terms of respect for the fundamental rights and freedoms of natural persons, with particular regard to the enforceable rights and effective remedies available therein for data subjects (art. 46.1 GDPR); the provision by the owner or controller of adequate safeguards among those identified by paragraphs 2 and 3 of art. 46 GDPR, such as standard contractual clauses. In the absence of the above-mentioned twofold condition, it is possible to transfer personal data abroad only by virtue of certain exceptional and imperative exceptions, which, however, occur in specific and entirely peculiar situations (art. 49 GDPR). In the framework thus outlined, moreover, the judgment of the Court of Justice of the European Union (“CJEU”) of 16 July 2020 relating to case C-311/18 (so-called “Schrems II” case) intervened, which, by invalidating the so-called Privacy Shield, resulted in a significant tightening of the difficulties associated with international data transfers to third countries. In this judgment, the CJEU confirmed in principle that the transfer of personal data to third countries may under no circumstances result in the risk of undermining or weakening the protection afforded to data subjects within the EEA. In the wake of the CJEU’s judgment, the European Data Protection Board (“EDPB”) has intervened with two important pronouncements containing practical and principled guidelines and indications in relation to the matter of transfers outside the EEA (Recommendations 1/2020 and 2/2020, both adopted on 10 November 2020).
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Both controllers and processors are accountable for the security measures they have implemented. Art. 32 GDPR requires the adoption of appropriate security measures – both technical and organizational – by taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons.
In 2018, the EU Agency for Network and Information Security issued the Handbook on Security of Personal Data Processing, which provides guidance on the minimum technical standards to be provided by companies for personal data processing and Technical Guidelines for the implementation of minimum-security measures for Digital Service Providers, which aim to provide a common approach at the EU level regarding security measures to be implemented by digital service providers.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Yes. Art. 4.12 GDPR defines “personal data breach” as a breach of the security of personal data transmitted, stored, or otherwise processed, resulting in its accidental or unlawful compromise, in terms of:
destruction: data Subjects’ PII no longer exists or is otherwise in a form that is of no use to the Data Controller.
loss: the data controller no longer holds such data, no longer has control over it, or loses the ability to access it.
alteration: the data suffers some form of damage, such as being modified, corrupted or made incomplete.
unauthorized disclosure: personal data are unlawfully brought to the knowledge of persons not authorized to receive them.
unauthorized access: Access to personal data by unauthorized recipients, or any other form of processing in violation of the GDPR.
The European Data Protection Board (formerly the art. 29 Working Party), an independent EU advisory body on the protection of personal data and the consistent application of relevant rules, had classified breaches according to three information security principles in a 2014 opinion.
It therefore distinguished between:
breach of personal data confidentiality: PII is, accidentally or unlawfully, disclosed or accessed by unauthorized parties.
breach of personal data integrity: alteration of PII, such as unauthorized or accidental modification of personal data.
breach of personal data availability: a breach that occurs in the cases of loss of PII, failure of the authorized party to access the PII, accidental or unlawful destruction of PII.
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
Being an omnibus regime, EU and Italian data protection law is not sector-specific and, as such, generally applies to all areas where the processing of personal data takes place.
More sector-specific guidance is typically outlined in the Italian Data Protection Authority’s decisions, recommendations and guidelines, some of which were adopted before the GDPR became applicable but are still in force (e.g., regarding system administrators, the processing of personal data relating to fidelity cards and social media marketing). Regarding e-health records, the Agency for Digital Italy has the relevant legislation published on its website.
In any case, healthcare, banking and finance, together with sectors closely related to national security (defense, energy, telecommunications, etc.) are the most regulated sectors in Italy from a cybersecurity perspective.
In addition, with regard to specific sectors and critical infrastructures, it is worth mentioning DPCM no. 131/2020, implementing Decree Law no. 105/2019 on the National Cyber Security Perimeter, which came into force on November 5, 2020 and laid the first concrete foundations of the so-called National Cyber Security Perimeter.
Entities that are included in the Perimeter must perform important tasks, such as annually updating the list of ICT assets; conducting risk analysis to identify risk factors for incidents; managing and implementing the necessary security measures; designating the ICT assets it needs and analyzing the associated risks to ensure the integrity, efficiency, and security of the data and information they contain. In addition, hindering or conditioning the inspection and verification activities carried out within the Perimeter may result in criminal liability.
Legislative Decree 65/2018 implemented EU Directive 2016/1148 (NIS Directive), providing guidance on risk management and the prevention, mitigation and notification of cyber incidents and attacks.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
In case of a data breach, the controller must, without undue delay and, where feasible, no later than 72 hours after having become aware of the breach, notify the supervisory authority. The data controller must provide to the authority the information outlined in art. 33.3 of GDPR, which includes:
the nature of the personal data breach
the categories and approximate number of data subjects concerned
the likely consequences of the breach
the measures taken or proposed to be taken to address it and mitigate its effects.
The supervisory authority need not be informed of the breach where it is unlikely to result in a risk to the rights and freedoms of data subjects, while both the authority and affected individuals must be informed where the breach is likely to result in a high risk for the persons concerned, under article 34 GDPR.
In addition, the provisions of article 33 GDPR are also taken into account, where applicable, by article 13 Legislative Decree 65/2018, which outlines a framework for cooperation between the competent NIS authority and the Italian Data Protection Authority (DPA) in the event of security incidents that also include personal data breaches. This measure would, therefore, entail a double notification if a security incident results in a personal data breach. The operator is called upon to notify the DPA under article 33 GDPR and the competent NIS authority under articles 12 and 14 of Legislative Decree 65/2018.Regarding data subjects, the notification of a data breach is regulated under article 34 GDPR.
EU supervisory authorities have provided guidance on data breaches in their relevant guidelines. The Italian DPA recently released a self-assessment tool on its website to help controllers and processors evaluate the necessity to notify the breach to the DPA and to data subjects.
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
Yes. In general, art. 3 of Legislative Decree 65/2018 defines cybersecurity, or ‘network and information system security’ as the ability of a network and information systems to withstand, at a given level of confidentiality, any action that compromises the authenticity, integrity or confidentiality of data stored or transmitted or processed and of the related services offered or accessible through such network or information systems.
Cybercrimes are defined as any crime committed with an information system, enlisted under the provision of articles 615-ter to 615-quinquies, 635-bis to 635-quinquies, 640-ter and 491-bis et seq of the Italian Criminal Code.
Data Privacy is to be intended as the protection of natural persons in relation to the processing of personal data and is a fundamental right. Cybersecurity is an integral part of the protection of personal data, but it also extends to information that is not related to an identified or identifiable natural person.
In any case, personal data privacy, cybersecurity and criminal provisions are strictly interconnected. Therefore, only if a company has an adequate system of security measures can it prevent cybercrimes. In Italy, the same conducts that are punished as cybercrimes could result in a liability for the companies themselves if they are committed to the advantage of the legal entities (as provided for in Legislative Decree 231/2001).
For all these reasons, Italian jurisdiction includes laws and regulations that specifically address cyber threats that may occur in certain areas, such as risks associated with intellectual property and, in general, the dissemination of confidential information, as well as cyber threats associated with cloud computing.
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
Yes. D.L. 82/2021 established the so-called Agency for National Cybersecurity. The Agency is the national authority with competence in cybersecurity for the purposes of the NIS Directive, with inspection and sanctioning functions, as well as competence to issue certifications pursuant to Regulation 2019/881. More generally, it concentrates on itself many competences previously entrusted to other bodies (MISE, DIS, AGID), plus a series of functional tasks, among others, to the implementation of policies for the prevention and monitoring of dangers, the participation in international exercises to assess the suitability of security measures, the drafting of the annual national cybersecurity plan, an active role for the definition of a regulatory framework for the sector in collaboration with the academic and research world.
The Agency incorporates within it, in addition to the Nucleus for Cybersecurity, the CSIRT (Computer Security Incident Response Team – Italy), to which a series of tasks are assigned, including:
monitoring cyber incidents at a national level, managing communication with the parties involved in events that compromise the security of networks and services;
constant dialogue with the European network of national CSIRTs;
communication to the Nucleus for Cybersecurity of the monitored events.
The CSIRT, in agreement with the Agency, also carries out an activity of diffusion of alert messages – using social channels and the production of so-called “bulletins” – functional to make known the main indicators of compromise referable to cybersecurity events with wide-ranging consequences.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
Yes. Privacy rights, as very personal and inalienable rights, are covered by articles 15-22 GDPR. In particular, they are the right of access, the right to rectification, the right to be forgotten, the right to restriction, the right to portability, the right to object and, finally, the right not to be subjected to decisions based solely on automated processing. The exceptions and restrictions to these rights are provided for in articles 2-undecies and 2-duodecies Privacy Code, in implementation and in compliance with art. 23 GDPR.
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
Yes. In cases where the exercise of privacy rights has been delayed, limited or excluded pursuant to art. 2-undecies Privacy Code, privacy rights may be exercised through the supervisory authority, in the manner set out in art. 160 Privacy Code. Furthermore, art. 77 ff. GDPR recognize that data subjects have the right to apply to the supervisory authority and the judicial authority also in order to ascertain the infringement of privacy rights whose exercise request has been rejected.
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Yes. In cases where they complain of a breach of data protection rules, data subjects are entitled to exercise their right to lodge a complaint with the supervisory authority (see articles 77 GDPR; 141-144, 153 ff. Privacy Code; 1-9, 18-22 and 24-28 of L. 689/81). Data subjects may also appeal against legally binding decisions of the supervisory authority as well as against data controllers and data processors who are alleged to have violated their respective rights under the legislation (articles 78 and 79 GDPR; art. 152 Privacy Code; art. 10 of Legislative Decree 150/2011). These rights may be exercised on their own or by giving a mandate to bodies, organizations and associations representing the interested parties pursuant to art. 80 GDPR.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
Yes. Pursuant to art. 82 GDPR, data subjects have the right to obtain compensation for material and immaterial damages resulting from unlawful processing by the data controller or processor. In application of the civilistic logic of compensation for damages under articles 2043 ff. civil code, it is necessary that the injury to the right to protection of personal data takes the form of an actual and current financial or non-financial damage.
How are the laws governing privacy and data protection enforced?
The application of the regulations on privacy and personal data protection is guaranteed by the supervision of the Garante Privacy, as an independent administrative authority invested with the general task of ensuring protection of the fundamental rights and freedoms of those concerned and to facilitate the free movement of data within the EU, as well as by the ordinary judicial authority (art. 140-bis ff. Privacy Code).
What is the range of sanctions (including fines and penalties) for violation of these laws?
The sanctions applicable in the event of a breach of data protection regulations are governed by articles 83 and 84 GDPR and 166 Privacy Code. In principle, sanctions may be of a merely corrective nature (as in the case of warnings) or of a pecuniary nature; in the latter case, sanctions may extend, in the cases referred to in Art. 83.4 GDPR, up to 10,000. 000 EUR or, for companies, up to 2 % of the total annual worldwide turnover of the previous financial year, whichever is higher, and, in the cases referred to in art. 83.5 GDPR, up to 20,000,000 EUR, or for companies, up to 4 % of the total annual worldwide turnover of the previous financial year, whichever is higher.
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
Yes, there are the Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 published by the EDPB on October 3, 2017.
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
Yes. According to art. 78 GDPR, without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established. In Italy, jurisdiction in this area belongs to the ordinary judicial authority pursuant to art. 152 Privacy Code.
Are there any proposals for reforming data protection or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.
Yes. These are the following regulations aimed at reforming the regulatory framework currently in force in the European Union regarding the protection and circulation of personal data: Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (“Regulation on Privacy and Electronic Communications” – proposal adopted by EC on 11/1/2017); Proposal for a Regulation of the European Parliament and of the Council on European data governance (“Data Governance Act” – proposal adopted by EC on 25/11/2020); Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonized Rules on Artificial Intelligence (“Artificial Intelligence Act” – proposal adopted by EC on 22/4/2021); Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (“Data Act” – proposal adopted by EC on 24/2/2022).
Estimated word count: 6559
Privacy & Cookies Policy