-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
The key laws that govern privacy and data protection in Italy are the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“General Data Protection Regulation” or “GDPR”);
- Legislative Decree No. 196/2003 (“Privacy Code”), as amended by Legislative Decree No. 101/2018 and, most recently, by Law Decree No. 139/2021, converted, with amendments, by Law No. 205/2021 and Law Decree No. 132/2021, converted, with amendments, by Law No. 178/2021, which harmonizes the Italian data protection framework with the GDPR and transposes Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (“e-Privacy Directive”);
- Legislative Decree No. 51/2018 that implements in the Italian legal framework Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 (“Police Directive”).
The Privacy Code provides that the Garante per la protezione dei dati personali (“GPDP”) is the supervisory authority in Italy in charge of supervising compliance with data protection legislation.
As far as the Italian regulatory framework on cybersecurity is concerned, the primary legal acts are the following:
- Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019, on the position and powers of the European Union Agency for Cybersecurity (“ENISA”) in the field of information security (“Cybersecurity Act”);
- Legislative Decree No. 65/2018, which transposes Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (“NIS Directive”) into the Italian legal framework – In this respect, it is worth mentioning that the new NIS Directive (“NIS2”) entered into force on 16 January 2023 and has a mandatory deadline of 17 October 2024 for Member States to transpose it into national law;
- Legislative Decree No. 105/2019, which constituted the National Cybersecurity Perimeter (Perimetro di Sicurezza Nazionale Cibernetica – “PSNC”);
- DPCM No. 131/2020, “Regulation on the National Cybersecurity Perimeter”, and
- Legislative Decree No. 82/2021 containing “Urgent provisions on cyber security, definition of the national cyber security architecture and establishment of the National Cyber Security Agency” (Agenzia per la Cybersicurezza Nazionale – “ACN”).
As for the authorities that are in charge of overseeing compliance with cybersecurity requirements, please see question 33.
-
Are there any expected changes in the data protection, privacy and cybersecurity landscape in 2023-2024 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
No substantial changes in the Italian data protection and privacy regulatory framework are expected in the coming years, apart from what is stated in questions no. 42 and 43 below and other minor regulatory interventions, such as the decree issued by the GPDP pursuant to art. 2-septies of the Privacy Code (i.e., a regulation containing more detailed safeguards regarding genetic, biometric and health-related data) as well as the adoption by the Ministry of Justice of a decree regulating the processing of data relating to criminal convictions and offences pursuant to art. 2-octies of the Privacy Code.
As far as cyber security in the EU is concerned, a path of transformation is being outlined, with the Cyber Security Strategy 2020 as the starting point. This strategy (that was adopted in December 2020) outlines several key objectives and steps that will be implemented in the coming years to strengthen cybersecurity in the EU. This new cybersecurity framework will mainly be grounded upon three main pillars: resilience, operational capacity, and cooperation between EU Member States. The Cybersecurity Act and NIS2 represent the core of this new cyber structure. In terms of new legislative initiatives, in 2022 the European Commission proposed the European Cyber Resilience Act (“CRA”), on which the European Parliament is expected to vote by March 2023.
In Italy, it is worth mentioning the National Strategy for Cybersecurity 2022-2026, which aims to implement the cyber-resilient digital transformation of the Public Administration, to anticipate the evolution of cyber threats and to manage cyber crises. In addition, this strategy aims to promote national and European digital strategic autonomy to directly control how data is processed, stored and transported using modern technologies.
-
Are there any registration or licensing requirements for entities covered by these laws, and, if so, what are the requirements? Are there any exemptions?
Under the GDPR and the Privacy Code, there are no registration or licensing requirements for entities subject to data protection and privacy laws, as the general principle of accountability gives data controllers considerable operational and organizational autonomy. At the same time, organizations that have appointed a Data Protection Officer (“DPO”) pursuant to the GDPR shall communicate the contact details to the GPDP by following a specific procedure made available online by the GPDP. Moreover, organizations may be required to consult with the GPDP under certain circumstances as further detailed below in question 15.
Moreover, the Italian government has introduced a new regulation, by means of ACN Resolution No. 307/2022, on the qualification of cloud services for public administrations to improve cybersecurity. Under this new regulation, cloud services will be required to undergo a thorough examination of their highest security credentials. Starting from 1 August 2023, cloud companies wishing to process data will be required to obtain the appropriate qualification from the ACN, which will vary depending on the type of data they process.
To qualify for ACN, cloud services must be certified to ISO 9001 and either ISO/IEC 27001 or CSA-Star Level 2 as an alternative. Cloud services must demonstrate that they have strong quality and information security management processes in place to protect customer data and information. These certifications help ensure that cloud services adhere to high standards and maintain a secure and reliable cloud infrastructure.
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The definitions of “personal data” and “special categories of personal data” are set forth under the GDPR. According to art. 4.1 GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Special categories of personal data are those identified by art. 9.1 GDPR and, precisely, “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. The GDPR also contemplates, in art. 10 GDPR, the category of personal data relating to criminal convictions and offences.
The definition of personal data identified above also applies to cybersecurity. However, the legislation on cybersecurity has a broader scope than the GDPR in that it includes all types of information, such as non-personal data and business data.
Non-personal data can be divided into two groups based on their origin: data that was not originally associated with an identified or identifiable natural person (such as weather data generated by sensors installed on wind turbines, or data on the maintenance needs of industrial machinery) or data that was originally personal data but was later anonymized.
Business data is a term that is used to describe the information that is generated, collected, processed, and retained by an organization in the course of its business.
ACN Resolution No. 307/2022 also establishes a procedure for classifying government data into three different categories (i.e., ordinary, critical and strategic) in order to ensure their security. The classification process is guided by a well-defined set of criteria covering various aspects, such as asset management, governance, risk assessment, supply chain, identity management, data security, information protection processes and procedures, maintenance of information and industrial control systems, and technical security solutions. Data classification is essential to determine the level of protection required for each category of data and to ensure the integrity, confidentiality, and availability of information. By properly classifying data, public administrations can manage data protection more effectively, reduce the risk of cybersecurity incidents, and implement appropriate security measures and policies to protect sensitive information. Ultimately, this contributes to the overall security and resilience of government systems.
-
What are the principles related to the general processing of personal data or PII. For example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction, or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
The general principles applicable to the processing of personal data are the following:
- Principle of lawfulness (art. 5.1.a) GDPR) – The processing of personal must have a legal basis under the GDPR;
- Principle of fairness (art. 5.1.a) GDPR) – The processing of personal data must be based on the principles of honesty and good faith;
- Principle of transparency (articles 5.1.a), 12, 13 and 14 GDPR) – Data subjects shall be adequately informed about the processing activities carried out in relation to their personal data;
- Principle of purpose limitation (art. 5.1.b) GDPR) – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Principle of minimization (art. 5.1.c) GDPR) – Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Principle of accuracy (art. 5.1.d) GDPR) – Personal data must be accurate and, if necessary, updated;
- Principle of storage limitation (art. 5.1.e) GDPR) – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Principles of integrity and confidentiality (articles 5.1.f) and 32 GDPR) – Appropriate security measures shall be implemented to preserve personal data from certain adverse events (including unauthorized or unlawful processing, accidental loss, destruction or damage);
- Principle of accountability (art. 5.2 GDPR) – The data controller must ensure compliance with these principles and be able to demonstrate such compliance.
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
Yes. Consent is required in certain cases typified by law (e.g., in the case of direct marketing activities carried out by using automated calling systems without human intervention, fax, electronic mail, SMS, MMS and others similar pursuant to art. 130.1 and 2 Privacy Code, and to store information or to gain access to information stored in the terminal equipment of a contracting party or a user pursuant to art. 122 of the Privacy Code) as well as in other cases provided for by the GPDP in its decisions (e.g., for the processing of genetic data for some specific purposes identified by the GPDP).
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
According to art. 4.11 GDPR, in order to be valid, consent must be freely given, specific, informed and unambiguous, as well as explicit, with regard to the processing of special categories of personal data, according to art. 9.1 GDPR.
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection or disclosure?
As a rule, the processing of special categories of data is prohibited pursuant to art. 9.1 GDPR, unless one of the circumstances identified in art. 9.2 GDPR applies (e.g., data subjects’ explicit consent). According to art. 9.4 GDPR, Member States may introduce further conditions to protect the processing of genetic, biometric or health-related data (see art. 2-septies Privacy Code, also mentioned in question 10 below). There are not categories of personal data or PII that are absolutely prohibited from collection.
-
How do the laws in your jurisdiction address children’s personal data?
In general, the GDPR gives minors specific protection in relation to their personal data with regard, in particular, to the use of their personal data for marketing and profiling purposes and to the collection of data when using services provided directly to the minor. The GDPR also provides that the information provided to the minor must be simple, clear, and easily understandable. Minors who are at least 14 years old may lawfully consent to the processing of their personal data in relation to the offer of information society services directly to him or her; on the other hand, if the minor is below the age of 14 years, for the purposes of lawful data processing, consent must be given by the holder of parental responsibility (arts. 8 GDPR and 2-quinquies Privacy Code).
-
How do the laws in your jurisdiction address health data?
Health data falls under the definition of “special categories of personal data” pursuant to art.9 GDPR. The processing of health data is therefore only permitted in limited circumstances, such as when the data subject has given his/her explicit consent or when it is necessary for medical treatment.
Under the Privacy Code, the processing of health data must be carried out in compliance with specific safeguards to be adopted by the GPDP every two years pursuant to art. 2-septies of the Privacy Code. The same article also provides that dissemination of health data (as well as genetic and biometric data) is prohibited. Art.2-sexies also identifies some processing operations of special categories of personal data that must be considered as necessary for the performance of a task carried out in the public interest.
In a note issued in March 2019, the GPDP has issued some clarifications on the processing of health data, where it pointed out (among others) that based on art.9.2. h) and art. 9.3 GDPR, healthcare professionals that are subject to a duty of confidentiality do not require their patients’ consent in order to process their data for the purpose of providing healthcare services (while processing activities that go beyond this purpose needs to be subject to patient’s express consent).
In addition, Law No. 833/1978 established the National Health Service and provides specific rules for the processing of health data within the healthcare system. It sets out the obligations for healthcare providers and establishes the criteria for the collection, storage, and use of health data. In Italy, there are also specific regulations and guidelines on the use and implementation of the Electronic Health Record system (Fascicolo Sanitario Elettronico), which set out rules for the collection, storage, and use of health data within the said system. The GPDP has also provided specific guidelines and recommendations on the use of Health Files (Dossier Sanitario Elettronico – which includes information on patients’ medical history within a given health care facility) and on the safeguards to be implemented in relation to medical online reports (i.e., written reports that are issued by a medical professional following a clinical / instrumental exam).
Medical devices are regulated in the EU by the Medical Devices Regulation (“MDR”) and in the In Vitro Diagnostic Medical Devices Regulation (“IVDR”). These regulations provide a legal framework for the safety and performance of medical devices and set specific requirements for their design, manufacture, and use.
-
Do the laws include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Other than the peculiarities described in the other answers, the Privacy Code sets out some deviations from (or specification of) the general rules in relation to the processing of personal data for archiving purposes in the public interest, scientific or historical purposes or statistical purposes and in the context of journalist activities. Moreover, the Privacy Code has also introduced some limitations on data subject’s rights. In particular, art. 2-undecies of the Privacy Code provides that data subject’s rights under arts. 15-22 and 77 GDPR may not be exercised if this would result in a material damage to a number of values and interests protected by the law (e.g., the interests protected by provisions on money laundering or the confidentiality of the identity of whistleblowers). Moreover, art. 2-duodecies provides that the rights and obligations set out in arts. 12 – 22 and 34 GDPR may be delayed, limited, or excluded for reasons of justice.
-
Does your jurisdiction impose requirements of ‘data protection by design’ or ‘data protection by default’ or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The principle of data protection by design is provided for in art. 25.1 GDPR. Pursuant to this principle, the data controller must take into account compliance with the applicable data protection requirements from the design stages of the initiatives that will involve personal data processing, in order to ensure that the development of these initiatives can progressively proceed in accordance with those requirements.
The principle of data protection by default is set forth under art. 25.2 GDPR. Pursuant to this principle, data controllers are responsible for carefully verifying specific parameters – such as the amount of personal data collected, the purpose of processing, the storage period and the accessibility of such data – and consequently for implementing appropriate technical and organizational measures to ensure that , by default, only the personal data that are necessary for the specific purposes pursued are processed. In particular, such measures must ensure that the processed personal data are not made accessible to an indefinite number of individuals without the prior intervention of the natural person concerned.
An effective tool for implementing the above-mentioned principles is the performance of a Data Protection Impact Assessment – “DPIA” (in accordance with art. 35 GDPR) even when this is not strictly mandated by the law.
-
Are owners/controllers or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
According to the principle of accountability set out art. 5.2 GDPR, the data controller shall be able to demonstrate, also through written documentation, its compliance with the applicable data protection requirements. This can be done by carrying our DPIAs (as mentioned in question 12), by documenting the balance of interests in play (i.e., the interest invoked by the data controller on the one hand and the rights and freedoms of data subjects on the other) when legitimate interest is identified as the applicable legal basis, and by keeping a record of the processing activities pursuant to art. 30 GDPR.
-
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
According to art. 5.1.e) GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89.1 GDPR (subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject). Under the accountability principle, it is advisable to define data retention policies and procedures where the data controller should specify the applicable retention periods and / or the criteria for determining such retention periods and the measures to be implemented for ensuring prompt deletion / anonymization once such periods expire.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
Pursuant to art.36 GDPR, a prior consultation of the GPDP is necessary where the results of a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate such risks. The DPO is also allowed by the GDPR to consult on any matter relating to the processing of personal data (art. 39.1.e) GDPR).
The Privacy Code also includes specific provisions on the need to consult the GPDP and / or request the GPDP’s authorization in the context of medical research programs or other processing activities that are conducted for scientific research or statistical purposes (under the specific conditions set out under arts. 110 and 110-bis of the Privacy Code). A notification requirement is also prescribed under art.2-ter of the Privacy Code (as amended by Law Decree No. 139/2022) that sets out the conditions under which the dissemination and communication to third parties of personal data that are processed for reasons of public interest or in connection with the exercise of public powers needs to be notified to the GPDP.
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
To identify and assess the risks to the rights and freedoms of data subjects, the GDPR requires data controllers to adopt, also in accordance with the principle of accountability, technical and organizational security measures appropriate to the risks that the data processing in question entails. In this sense, data controllers are required to carry out both a risk analysis with respect to all processing activities they carried out and, where necessary or appropriate, a DPIA pursuant to art. 35 GDPR. The GPDP has published a (non-exhaustive) list of the processing operations that are subject to the requirement of DPIA, which includes (among others) large-scale evaluative or scoring processing activities, automated processing aimed at making decisions that produce legal effects or significantly affect the individual concerned, systematic processing of biometric and genetic data, processing carried out with the use of innovative technologies (IoT, artificial intelligence, monitoring carried out by wearable devices).
No specific methodology has been developed by the GPDP on the performance of DPIAs with the result that the performance of DPIAs should generally follow the guidelines provided at the EU level (in particular, in the “Guidelines on Data Protection Impact Assessment” issued by the Article 29 Data Protection Working Party, as last revised on 4 October 2017). Moreover, risk assessment activities shall generally be performed by using methodologies derived from international standards such as ISO 27005 and ISO 31000, assessing the likelihood and impact of the risk that may arise. More specifically, performing a risk assessment for a data processing activity means evaluating the categories of personal data that will be processed, assessing the potential risks to the rights and freedoms of data subjects, and putting in place the necessary security measures to mitigate those risks. Depending on the nature and scope of the data processing activities, different approaches can be used to conduct a risk assessment although, most often, a mix of technical, organizational, and administrative procedures is used.
Performing vulnerability assessments and penetration tests to identify security weaknesses in systems and networks, building threat models to identify potential threats and attackers, and implementing access controls and other security measures to prevent unauthorized access to personal data are some common methods for conducting risk assessments for data processing activities.
-
Do the laws in your jurisdiction require appointment of a data protection officer or a chief information security officer (or other person to be in charge of privacy or data protection at the organization), and what are their legal responsibilities?
The appointment of a DPO is mandatory in the cases referred to in arts. 37.1 GDPR and 2-sexiesdecies of the Privacy Code (this latter article requires judicial authorities to appoint a DPO when processing personal data in the exercise of their duties). This figure is specialized in the protection of personal data and is characterized by requirements of functional independence and evaluation. The core tasks that a DPO shall perform consist in: (i) informing and advising the data controller or the data processor and the employees who carry out processing activities as well as monitoring compliance with data protection legislation; (ii) acting as the contact point for the supervisory authority; (iii) acting as the contact point for data subjects, who may contact him/her for all matters relating to the processing of their personal data and the exercise of their rights under arts. 15-22 GDPR.
In terms of cybersecurity laws, the designation of a Chief Information Security Officer (“CISO”) or similar function is not required by Italian law. Although there is no clear legal requirement for a CISO in Italy, companies may decide to appoint someone in this position to oversee their overall information security program, which may include privacy and data protection components. A CISO may be responsible for: (i) creating and implementing an information security plan; (ii) identifying and managing risks to the company’s information assets; (iii) ensuring compliance with applicable laws and regulations; (iv) monitoring the implementation of the technical and organizational security measures to protect information assets; and (v) responding to security breaches and incidents.
In general, it is crucial for companies to designate individuals or teams responsible for monitoring the soundness of their privacy / data protection and security posture and overall compliance with the applicable laws.
It should also be noted that DPCM No. 81/2021 (see question 28 below) requires the appointment of a contact person to oversee the implementation of the organizational and technological security measures outlined in the regulation for organizations that fall within the National Cyber Security Perimeter.
-
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
Even in the absence of an explicit and separate obligation on data controllers (and data processors) to conduct employee training sessions, such activities are a fundamental organizational security measure that organizations shall consider when developing their own organizational privacy model (arts. 5.2 GDPR, 29 and 32.4 GDPR). It is therefore advisable that organizations establish a training program for individuals authorized to process personal data both at the time of their initial enrolment (e.g., as part of the introductory enrolment activities and trainings) and, periodically, in the course of their employment relationship (ideally, once a year) and that course attendance is duly documented.
-
Do the laws in your jurisdiction require businesses to provide notice to data subjects of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
In the implementation of the principle of transparency under art. 5.1.a) GDPR, the data controller is required to provide data subjects with information about the processing of their personal data both when it collects data from the data subjects concerned (art. 13 GDPR) and when it collects it from third parties (art. 14 GDPR). In the first case, the information notice must be provided at the time of collection of the data in question; in the second case, the information notice must be provided within the terms set out in art. 14.3 GDPR. Information notices shall be drafted in a concise, transparent, intelligible, and easily accessible form, using clear and plain language and, more generally, in compliance with the requirements set out in art. 12 GDPR. In March 2021 the GPDP launched a contest called “Easy privacy information via icons? Yes, you can!”, for the purpose of developing solutions for making information notices simpler and clearer through icons, symbols, or other graphic elements. On 15 December 2021, the GPDP published on its website the three sets of icons that were deemed to be most effective.
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data, and, if so, what are they? (For example, are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
The GDPR imposes obligations on both data controllers and data processors. While most of the data protection obligations are imposed on data controllers (on which the GDPR places primary administrative responsibility for compliance with the GDPR), data processors are mainly responsible (and are therefore accountable) for the technical and organizational aspects of the processing activities carried out (e.g., the implementation of adequate security measures pursuant to art. 32 GDPR). Moreover, data controllers are also accountable for the compliance of their data processors since they are required to only engage data processors that provide sufficient guarantees to implement appropriate technical and organizational measures.
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII, or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
The essential content requirements of the agreements governing the relationship between data controllers and data processors are expressly set forth in art. 28 GDPR. The GDPR requires data controllers to enter into a contract or other legal act with data processors in order to explicitly describe the scope, nature, and purpose of the processing activities that data processors are instructed to conduct on behalf of the data controller. The contract / other legal act must also set out the respective rights and responsibilities, as well as the appropriate technical and organizational measures to ensure the security of processing.
In addition, data controllers must ensure that data processors adopt adequate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, modification, unauthorized disclosure or access, or any other unlawful form of processing. This includes carrying out due diligence on data processors and assessing their privacy and security posture prior to their engagement, as well as ongoing monitoring of their compliance with the GDPR throughout the term of the contract. The obligation to carry out audits, due diligence, and privacy and security assessments is incumbent on data controllers, as a result of the general principle of accountability set out under art. 5.2 GDPR (which, in turn, is linked to a number of more detailed and specific provisions). Data controllers are accountable for their processing decisions and must demonstrate that they are in compliance with the GDPR. This means that data controllers must put in place all necessary policies and procedures in order to effectively protect personal data and comply with GDPR standards. As a best practice, it is therefore recommended that a second-party audit is carried out to assess the security and data protection posture of the entities involved in the supply chain.
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including the use of tracking technologies such as cookies. How are these terms defined, and what restrictions are imposed, if any?
The legislation recognizes the general right of data subjects not to be subjected to decisions based solely on automated processing activities, including profiling (art. 22 GDPR). This right corresponds to the obligation for data controllers to prevent such decision-making processes, unless (i) these are necessary for the conclusion or performance of a contract between the data subject and a data controller; (ii) these have been authorized by the law of the EU or of the Member State to which the data controller is subject;(iii) the explicit consent of the data subject has been acquired. In any case, where the automated decision-making process involves special categories of data, the data controller is allowed to carry out this type of processing activities only if the conditions referred to in art. 9.1.a) and g) GDPR and appropriate measures to protect data subjects are in place. Moreover, data controllers are required to take appropriate technical and organizational measures in order to ensure the right of the data subjects to obtain the intervention of human operators as well as the right to express their opinion and challenge the decision.
In June 2021, the GPDP has published its updated “Guidelines on the use cookies and other tracking tools” where it specifies, among others, the rules to be complied with when requesting users’ consent to the use of non-essential cookies (including profiling cookies), including recommendations on the configuration of the cookie banner (e.g., a command – such as an “X” at the top right corner of the cookie banner – that allows users to close the banner while keeping the default settings and therefore continue to browse with technical cookies only, a command to accept all cookies, the link to a dedicated area where individuals can express their choices in a granular manner to the functionalities and third-party cookies to which they choose to consent).
Lastly, it is worth mentioning that the possibility of using CCTV, as well as other means that could be used for the remote monitoring of employees’ activities is restricted under art. 4 of Law No. 300/1970 (also known as the “Worker’s Statute).
-
Please describe any restrictions on targeted advertising and cross-contextual behavioral advertising. How are these terms or related terms defined?
In Italy, targeted advertising and cross-contextual behavioral advertising are regulated by the GDPR and the Privacy Code.
Targeted advertising is generally intended as the use of personal data to select and present advertisements to a specific individual or group of individuals. Cross-contextual behavioral advertising involves the use of personal data to present advertisements based on a person’s browsing history across multiple websites or applications. The most appropriate legal basis for this type of processing activities is generally identified in data subject’s consent (this is particularly true in relation to cross-contextual behavioral advertising based on data subject’s browsing history which is likely to trigger the application of the ePrivacy Directive). Companies are therefore required to obtain the individual’s prior consent before processing personal data for cross-contextual or targeted behavioral advertising. Consent must be freely given, accurate, well informed and unambiguous. In addition, the GDPR requires that individuals have the freedom to revoke their consent at any time.
Furthermore, the GDPR mandates that companies disclose to customers in a clear and unambiguous manner how their personal data will be used for advertising purposes. This includes details of the categories of recipients with whom the data will be shared, the sources from which the personal data will be obtained, and the purposes of the processing.
The GDPR also sets additional standards for the processing of certain categories of personal data, such as information about an individual’s political beliefs, religion, or health. In general, the use of such data for commercial purposes is not allowed, unless the data subject has expressly consented or there is another legal justification.
The overall aim of these provisions is to protect people’s right to privacy and data protection by requiring companies to process personal data for advertising purposes in a transparent and accountable manner, with the individual’s prior consent and clear disclosure of the processing activities that the data controller intends to undertake.
As far as targeting in online environments is concerned, it is also necessary to refer to “Guidelines 8/2020 on the targeting of social media users” of the European Data Protection Board (“EDPB”).
Moreover (as also noted above in question 22), it is worth recalling that the GPDP has recently issued specific guidelines on the use of cookies and other tracking technologies tools (“Guidelines on the use of cookies and other tracking tools” of 10 June 2021), which also includes detailed recommendations on how to ensure that consent is validly acquired in relation to non-essential cookies (including profiling cookies).
-
Please describe any laws in your jurisdiction addressing the sale of personal data. How is “sale” or related terms defined, and what restrictions are imposed, if any?
“Sale” of personal data is not specifically defined under the GDPR and the Privacy Code, although it is captured under the broad definition of “processing” activities. The sharing of personal data with third parties, especially for commercial / marketing purposes, is regulated by the general data protection principles set out under the GDPR and the Privacy Code (e.g., the need for an appropriate legal basis and compliance with transparency requirements) and by the indications contained in the decisions and guidelines delivered by the GPDP. Reference can be made to both general guidelines issued by the GPDP (such as the “Guidelines on Marketing and against Spam” of 4 July 2013, where the GPDP provides for recommendations on the consent to be specifically obtain for the communication / sharing of personal data to third parties for their own marketing purposes), and sanctions imposed by the GPDP against specific organizations which contain important clarifications regarding the requirements related to this processing activity (among others, “Ordinanza di ingiunzione nei confronti di Enel Energia S.p.a.” of 16 December 2021; “Ordinanza di ingiunzione nei confronti di Sky Italia S.r.l.” of 16 September 2021).
-
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
The matter is mainly governed by the provisions of the Privacy Code that implement the ePrivacy Directive, as well as more generally by the rules contained in the GDPR. Among the aforementioned provisions, it is important to mention art. 130 of the Privacy Code, which sets out the obligation for data controllers to collect data subject’s prior consent in relation to the use of automatic calling or communications systems without human intervention as well as for electronic communications (by means of emails, fax, SMS, MMS and others) for the purpose of direct marketing activities, for the sending of advertising materials, or for carrying out market surveys or interactive business communications. Some limited exceptions to the consent requirement is set out under art. 130.4 of Privacy Code in relation to direct marketing activities that are performed by using email contact details supplied by the data subject in the context of the sale of a product or service.
As for direct marketing communications by means of non-automated telephone calls, data controllers may lawfully contact data subjects who have expressed their prior consent or whose number is included in the telephone directory and the data subject has not opted-out to receiving marketing communications by telephone by registering their telephone number to the opt-out register – Registro Pubblico delle Opposizioni (this was set up with Law No. 5/2018 and its scope of application has been recently extended so as to include the possibility to register all telephone numbers, including mobile numbers). Lastly, it is worth mentioning that, in March 2023, the GPDP has approved a Code of Conduct for telemarketing and teleselling activities pursuant to arts.40.5 and 57.1.m) of the GDPR.
-
Please describe any laws in your jurisdiction addressing biometrics such as facial recognition. How are these terms defined, and what restrictions are imposed, if any?
The processing of biometric data is governed by the GDPR, which includes such data under the definition of “special categories of personal data” pursuant to art. 9 GDPR, with the result that biometric data can only be processed subject to limited conditions (e.g., data subject’s explicit consent). The matter is further regulated by the Privacy Code, which provides that the processing of biometric data (as well as genetic and health data) must be carried out in compliance with specific safeguards to be adopted by the GPDP every two years pursuant to art. 2-septies of the Privacy Code. The same article also provides that dissemination of biometric data (as well as genetic and health data) is prohibited. The processing of biometric data is also regulated by the indications provided by the EDPB its guidelines (see in particular its “Guidelines 3/2019 on processing of personal data through video devices” adopted on 29 January 2020 after public consultation).
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
Within the framework of national and EU law, the transfer of personal data to third countries not belonging to the European Economic Area (“EEA”) is permitted provided that the adequacy of the third country is recognized by a specific decision of the European Commission (art. 45 GDPR). In the absence of such a decision, the transfer outside the EEA may be performed subject to the condition that the so-called “data exporter” (whether data controller or data processor) implements appropriate safeguards among those identified in paragraphs 2 and 3 of art. 46 GDPR, such as standard contractual clauses. In the absence of appropriate safeguards, it is possible to transfer personal data outside the EEA only by virtue of certain exceptional and imperative circumstances (called “derogations”, as they derogate from the general rule that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards are in place) which are set out under art. 49 GDPR (e.g., data subject’s explicit consent).
In this framework, with its judgment of 16 July 2020 in case C-311/18 (so-called “Schrems II” case), the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, while reaffirmed the validity of standard contractual clauses subject to the condition that the data exporter verifies, on a case-by-case basis, if the law or practice of the third country of destination impinges on the effectiveness of the appropriate safeguards contained in the art. 46 GDPR. In particular, the CJEU confirmed that the transfer of personal data to third countries shall never result in the risk of undermining or weakening the protection afforded to data subjects within the EEA. In the wake of the CJEU’s judgment, the EDPB has issued two sets of guidelines containing recommendations on how to ensure compliance with data transfer rules (“Recommendations 1/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” adopted on 18 June 2021 after public consultation and “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” of 10 November 2020).
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Both data controllers and data processors are accountable for the security measures they have implemented.
Art. 32 of the GDPR focuses on the security of the processing of personal data, requiring data controllers and data processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The terms “context” and “state of the art” in art. 32 emphasize the importance of taking into account the specific circumstances of the case and the latest technological developments when implementing security measures. “Context” refers to the specific situation, environment, and characteristics of each data processing scenario, while “state of the art” refers to the latest and most advanced technologies and practices available for data protection.
The Italian DPCM 81/2021 is a regulation aimed at strengthening data protection measures by incorporating GDPR principles into national legislation. Allegato B (Annex B) of DPCM 81/2021 provides a detailed list of security measures to be implemented by data controllers and data processors. These measures are designed to comply with the requirements of the GDPR, including those set out in art. 32. The security measures described in Allegato B are grouped into categories such as:
- Organizational measures;
- Physical security measures;
- Logical security measures;
- Security in the management of data and storage media;
- Security in the transmission and transport of data.
The link between the concept of “context” and “state of the art” in art. 32 of the GDPR and the security measures in Allegato B of DPCM 81/2021 can be understood as follows:
- Context-sensitive measures: the security measures in Allegato B are designed to be adaptable to the specific context of each organization or data processing scenario. Data controllers and data processors should choose appropriate measures based on the context, including the type of personal data processed, the scope of the processing, the size of the organization, and the nature of the risks involved;
- State-of-the-art measures: Allegato B aims to provide a comprehensive list of security measures that reflect the current state of data protection technology and practices. These measures are regularly updated to ensure that they remain relevant and effective in light of technological advances and emerging risks.
By following the guidelines in Allegato B, organizations in Italy can ensure that they are implementing context-appropriate and state-of-the-art security measures, as required by art. 32 GDPR. This will help organizations protect personal data and remain compliant with both national and EU data protection regulations.
In 2018, ENISA issued the “Handbook on Security of Personal Data Processing”, which provides guidance on the minimum technical standards to be provided by companies for personal data processing and “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers”, which aim to provide a common approach at the EU level regarding security measures to be implemented by digital service providers.
-
Do the data protection, privacy and cybersecurity laws in your jurisdiction address security breaches, and, if so, how does the law define “security breach”?
Given the automatic applicability of the GDPR under Italian law, the term “personal data breach” is defined under art. 4(12) GDPR. The said article defines “personal data breach” as a breach of the security of personal data transmitted, stored, or otherwise processed, resulting in its accidental or unlawful compromise, in terms of:
- Destruction (i.e., personal data no longer exist or are otherwise in a form that is of no use to the data controller);
- Loss (i.e., the data controller no longer holds such data, no longer has control over it, or loses the ability to access it);
- Alteration (i.e., the affected personal data suffer some form of damage, such as being modified, corrupted or made incomplete);
- Unauthorized disclosure (i.e., personal data are unlawfully brought to the knowledge of persons not authorized to receive them);
- Unauthorized access (i.e., access to personal data by unauthorized recipients, or any other form of processing in violation of the GDPR).
The Article 29 Data Protection Working Party has classified personal data breaches according to three information security principles (in an opinion it issued in 2014):
- Breach of personal data confidentiality: personal data is, accidentally or unlawfully, disclosed or accessed by unauthorized parties;
- Breach of personal data integrity: alteration of personal data, such as unauthorized or accidental modification of personal data;
- Breach of personal data availability: a breach that occurs in the cases of loss of personal data, failure of the authorized party to access the personal data, accidental or unlawful destruction of personal data.
In addition, ENISA published a 2020 threat landscape describing data breaches where it notes that “a data breach is a type of cybersecurity incident in which information (or part of an information system) is accessed without the right authorization, typically with malicious intent, leading to resulting in the potential loss or misuse of that information. It also includes ‘human error’ that often happens during the configuration and deployment of certain services and systems and may result in the unintentional exposure of data”.
Within the Italian legal framework, art. 3 of Legislative Decree. No. 65/2018 defines an incident as “any event with a real negative impact on the security of the network and information systems“.
The term incident, defined as any event with a real negative impact on the security of network and information systems, is used in the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (“NIS Regulations”).
In relation to the National Cybersecurity Perimeter (Perimetro di Sicurezza Nazionale Cibernetica – “PSNC”) framework (i.e., the Italian national cybersecurity framework that is aimed at protecting critical infrastructure and ensuring the security and resilience of the country’s digital ecosystem), “security incident” is not explicitly defined.
However, a security incident can generally be defined as an event or series of events that adversely affects the confidentiality, integrity, or availability of an organization’s information systems, networks or data. This can include unauthorized access, data breaches, malware attacks, denial of service attacks and other threats to the organization’s digital infrastructure.
In the context of the PSNC framework, a security incident would likely include any event or series of events that compromise the cybersecurity of Italy’s critical infrastructure or the resilience of its digital ecosystem. The aim of the PSNC is to develop and maintain a high level of protection for these systems, so managing and responding to security incidents would be a key aspect of the framework.
It is important to keep abreast of the latest developments and guidelines from the Italian government and cyber security agencies to ensure compliance with the latest definitions and requirements related to the PSNC framework.
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
Being an omnibus regime, EU and Italian data protection law is not sector-specific and, as such, generally applies to all areas where the processing of personal data takes place.
More sector-specific guidance is typically outlined in GPDP’s decisions, recommendations, and guidelines, some of which were adopted before the GDPR became applicable but are still in force (e.g., regarding system administrators, the processing of personal data relating to fidelity cards and social media marketing). Regarding the Electronic Health Record system, the Agency for Digital Italy (“AgID”) has published the relevant legislation on its website.
In any case, healthcare, banking, and finance, together with sectors closely related to national security (defense, energy, telecommunications, etc.) are the most regulated sectors in Italy from a cybersecurity perspective.
In addition, with regard to specific sectors and critical infrastructures, it is worth mentioning DPCM No. 131/2020, implementing Law Decree No. 105/2019, which came into force on 5 November 2020 and laid out the first concrete foundations of the PSNC.
Entities that are included in the PSNC must perform important tasks, such as: annually updating the list of ICT assets; conducting risk analysis to identify risk factors for incidents; managing and implementing the necessary security measures; mapping the ICT assets they need and analyzing the associated risks to ensure the integrity, efficiency, and security of the data and information they contain. In addition, hindering or conditioning the inspection and verification activities carried out within the PSNC may result in criminal liability.
Legislative Decree No. 65/2018 implemented the NIS Directive, providing guidance on risk management and the prevention, mitigation and notification of cyber incidents and attacks. In the context of the said Legislative Decree, the Italian legislator has identified the operators of essential services to which general requirements have been assigned for the adoption of technical, appropriate, and proportionate organizational measures to manage the risk posed to the security of network and information systems.
The most sensitive sectors are summarized below:
- Healthcare and medical devices
The Medical Devices Regulation (“MDR”) and the In Vitro Diagnostic Medical Devices Regulation (“IVDR”) govern medical devices in the EU. These regulations provide specific requirements for the design, manufacture and use of medical devices, as well as a legal basis for their performance and safety.
It should also be noted that the NIS Directive regulates certain aspects of the security of networks and information systems used in the above activities.
In Italy, the Ministry of Health regulates medical devices through the Italian Institute of Health. The Ministerial Decree of 2 April 2020 on “Technical requirements for medical devices and software” outlines the cybersecurity requirements for medical devices. In fact, medical devices must be created in compliance with the design and development requirements of this decree (that places special attention to ensuring their security and protection against cyber risks). The decree also sets out specific standards for cybersecurity, such as ensuring the confidentiality, integrity and availability of data handled by the device; implementing the necessary organizational and technical safeguards to protect the device against theft, loss, modification and unauthorized access; consistently updating the device’s software to fix bugs and security issues; and conducting periodic risk analyses to identify potential security risks and vulnerabilities. The decree also requires medical device manufacturers to notify the Italian Institute of Health of any security events or breaches that may affect the performance or safety of the device.
- Security requirements for industrial control systems and supervisory control and data acquisition
Industrial control systems (“ICS”) and supervisory control and data acquisition (“SCADA”) systems must comply with cybersecurity laws and standards, such as Legislative Decree No. 65/2018 on the cybersecurity of networks and information systems, as well as technical guidelines issued by the Italian National Agency for New Technologies, Energy and Sustainable Economic Development (“ENEA”). ENEA has published recommendations on the technical measures that should be taken to protect the security of ICS and SCADA systems, including the implementation of firewalls, intrusion detection and prevention systems, secure remote access controls and encryption of sensitive data.
- Security requirements for IoT
IoT devices do not currently have any regulatory security requirements. However, the relevant GDPR requirements and/or (as far as cybersecurity is concerned) the requirements of the PSNC apply, and it is advisable to refer to the ISO 27400 standard in cases where such devices are involved in the processing of personal data and/or are part of the infrastructure of organizations that are deemed to be critical to national security.
- Requirements for secure software development
There are currently no enforceable security standards for secure software development. It is worth mentioning that AgID has published a set of guidelines for implementing a secure software development process in all software development life cycle (“SDLC”) phases, through the identification and implementation of relevant security measures.
-
Under what circumstances must a business report security breaches to regulators, to individuals or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator, and what is the typical custom or practice in your jurisdiction?
In case of a data breach, the data controller must, without undue delay and, where feasible, no later than 72 hours after having become aware of the data breach, notify the supervisory authority. The data controller must provide to the supervisory authority the information outlined in art. 33.3 of GDPR, which includes:
- the nature of the personal data breach;
- the categories and approximate number of data subjects concerned;
- the likely consequences of the breach;
- the measures taken or proposed to be taken to address it and mitigate its effects.
The supervisory authority does not need to be informed of the data breach where it is unlikely to result in a risk to the rights and freedoms of data subjects, while both the authority and affected individuals must be informed where the data breach is likely to result in a high risk for the persons concerned, under article 34 GDPR.
Depending on the seriousness of the data breach and the risk it poses to individuals, a threshold must be set for notifying individuals. In addition, the data controller is required to notify individuals without undue delay if the data breach presents a significant risk to their rights and freedoms. In cases where a data breach may jeopardize the well-being or safety of data subjects (such as in the case where health information is affected), specific notification obligations may also apply. Apart from the above, Italian law does not specify any additional thresholds or norms for notifying the supervisory authority and the affected data subjects. The decision to notify is based on the specific circumstances of the data breach and the legal and contractual obligations upon the data controller.
Moreover, the provisions of art. 33 GDPR are also taken into account (where applicable) by art. 13 of Legislative Decree No. 65/2018, which outlines a framework for cooperation between the competent NIS authority and the GPDP in the event of security incidents that also affect personal data. This entails that a double notification would need to be carried out if a security incident results in a personal data breach. The operator is therefore required to notify the GPDP under article 33 GDPR and the competent NIS authority under arts. 12 and 14 of Legislative Decree No. 65/2018 (while the communication of a data breach to data subjects is regulated by article 34 GDPR).
If a data breach is not immediately notified to the GPDP or the affected parties, the company may face significant fines and reputational damage. Notification is also seen as a best practice by the GPDP in cases where a data breach does not necessarily require notification but may nevertheless have an impact on the rights and freedoms of individuals. Overall, Italy takes notification obligations around security incidents seriously, and data controllers are required to take appropriate corrective actions to address data breaches as soon as they occur and in a transparent manner.
EU supervisory authorities have provided guidance on data breaches in their relevant guidelines. The GPDP recently released a self-assessment tool on its website to assist data controllers and data processors in evaluating the necessity to notify a data breach to the authority and to data subjects.
In addition, to report a cyber security incident in Italy, organizations should contact the Computer Security Incident Response Team Italia (“CSIRT Italia”), which is the national contact point for reporting and responding to cyber security incidents.
CSIRT Italia provides assistance to all organizations and individuals, regardless of their sector or industry.
When reporting a cybersecurity incident to CSIRT Italia, it is important to provide as much information as possible, including:
- The date and time of the incident;
- The type of incident (e.g., malware infection, data breach, phishing);
- The systems or devices affected;
- Any potential impact on business operations or data;
- Any actions taken to contain or mitigate the incident;
CSIRT Italia will then assess the incident and provide guidance and technical assistance to help resolve the issue and prevent further damage. This may include recommending specific security measures or coordinating with other relevant authorities or agencies.
It is important to note that, depending on the sector and the nature of the incident, there may be legal or regulatory requirements that require companies to report cybersecurity incidents to specific authorities or agencies. In general, it is recommended that businesses establish incident response plans and procedures that outline clear reporting requirements and contact information for relevant authorities and agencies.
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cybercrime, such as the payment of ransoms in ransomware attacks?
Yes. In general, art. 3 of Legislative Decree No. 65/2018 defines cybersecurity, or “network and information system security”, as the ability of a network and information systems to withstand, at a given level of confidentiality, any action that compromises the authenticity, integrity or confidentiality of data stored or transmitted or processed and of the related services offered or accessible through such network or information systems.
Cybercrimes are defined as any crime committed with an information system and are regulated under arts. 615-ter to 615-quinquies, 635-bis to 635-quinquies, 640-ter and 491-bis ff. of the Italian Criminal Code.
Privacy/data protection is to be intended as the protection of natural persons in relation to the processing of personal data and is a fundamental right. Cybersecurity is an integral part of the protection of personal data, but it also extends to information that is not related to an identified or identifiable natural person.
In any case, privacy, cybersecurity and criminal provisions are strictly interconnected. Therefore, cybercrimes can only be effectively prevented by implementing an adequate system of security measures. In Italy, the same conducts that are punished as cybercrimes could result in a liability for the companies themselves if these crimes are committed to the advantage of the legal entities (as provided in Legislative Decree No. 231/2001).
For all these reasons, Italian jurisdiction includes laws and regulations that specifically address cyber threats that may occur in certain areas, such as risks associated with intellectual property and, in general, the dissemination of confidential information, as well as cyber threats associated with cloud computing.
Under the Italian legal framework, art. 379 of the Italian Criminal Code concerns “favoreggiamento reale” or “aiding and abetting” the commission of a crime. It states that anyone who helps a person who has committed a crime to secure impunity or escape commits a crime. The penalty ranges from six months to three years imprisonment.
In the case of ransomware attacks, paying a ransom could be considered as “favoreggiamento reale” under certain circumstances. Paying the ransom financially helps the attacker, which may help them avoid detection or continue their criminal activities.
However, the relationship between art. 379 and ransom payments is not straightforward as it depends on the specific case at hand, the payer’s knowledge and awareness of assisting the criminal, and the alternative options available to resolve the situation.
This highlights the importance of proactive measures to protect against ransomware attacks, including robust cybersecurity practices, data backups and employee threat training.
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
Yes, the Italian government has adopted a decentralized approach to the implementation of the NIS Directive, with the designation of five ministries as “Competent NIS Authorities”: Economic Development, Infrastructure and Transport, Economy and Finance, Health and Environment, and Land and Sea Protection.
Moreover, as noted in question 1, Law Decree No. 82/2021 established the ACN. The ACN is the national authority with competence in cybersecurity for the purposes of the NIS Directive, with inspection and sanctioning functions, as well as the competence to issue certifications pursuant to the Cybersecurity Act. More generally, it holds many competences previously entrusted to other bodies (MISE, DIS, AgID ), as well as a number of functional tasks, including the implementation of risk prevention and monitoring policies, the participation in international exercises to assess the adequacy of security measures, the drafting of the annual national cybersecurity plan, and an active role in the definition of a regulatory framework for the sector in collaboration with the academic and research community.
In addition to the Cyber Security Nucleus, the ACN includes CSIRT Italia, to which a number of tasks have been assigned, including:
- Monitoring cyber incidents at national level, managing communication with the parties involved in events that threaten the security of networks and services;
- Maintaining a constant dialogue with the European network of national CSIRTs;
- Communicating to the Cybersecurity Nucleus about the monitored events.
The CSIRT Italia, in agreement with the ACN, also carries out an activity of dissemination of alerts using social channels and the production of so-called “bulletins” that are functional to the dissemination of the main indicators of compromise relating to cybersecurity events with major consequences.
In addition to the ACN, a significant role is also played by the GPDP, which is responsible for overseeing compliance with the principle of integrity and confidentiality and with data protection legislation more broadly. Moreover, the GPDP works closely with other regulatory organizations and law enforcement agencies to investigate and fine cases of data protection violations.
In this respect, it is worth noting that the GPDP has a number of powers and duties, including:
- Investigating complaints: it has the power to investigate reports of alleged breaches of data protection laws, as well as complaints themselves. It has the power to conduct inspections, collect information and take legal action to enforce compliance;
- Applying administrative penalties: It has the power to impose penalties and fines for breaches of data protection laws. The maximum fine is €20 million, or 4% of a company’s global annual turnover;
- Providing advice and information: informing people and organizations about data protection policies and best practice. It also makes information available on its website and through other means to help people and organizations understand their legal rights and obligations;
- Raising awareness: The GPDP seeks to increase public understanding of privacy and data protection issues. It plans training and education campaigns for individuals, businesses, and other stakeholders.
Moreover, financial sector regulators in Italy have a significant impact on maintaining the integrity and stability of the financial system and the safety of financial institutions. The Bank of Italy (Banca d’Italia), which regulates banks, financial institutions, and payment service providers, is the main financial sector regulator in Italy. To improve cybersecurity in the financial sector, the Bank of Italy has several powers, including:
- Issuing laws requiring financial institutions to adopt appropriate cybersecurity measures and to establish a cybersecurity risk management framework;
- Conducting routine assessments of financial institutions’ cybersecurity policies and procedures to ensure compliance with laws and industry standards;
- Investigating and responding to cybersecurity incidents or breaches disclosed by these financial institutions;
- Provide advice and best practices to financial institutions on how to manage cybersecurity risks and defend themselves. against cyber threats.
In Italy, several sectoral authorities also play a role in promoting cybersecurity in their areas of competence. For example, the Italian Communications Authority (Autorità per le garanzie nelle comunicazioni) supports cybersecurity in areas such as network security and data protection, and regulates the telecommunications industry, together with the supervision of the energy industry.
-
Do the laws in your jurisdiction provide individual data privacy rights such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
Yes. Privacy rights, as personal and inalienable rights, are covered by articles 15-22 GDPR. In particular, data subjects are entitled to the right of access, the right to rectification, the right to be forgotten, the right to restriction, the right to portability, the right to object and the right not to be subjected to decisions based solely on automated processing activities. The exceptions and restrictions to these rights are provided for in articles 2-undecies and 2-duodecies Privacy Code, in implementation and in compliance with art. 23 GDPR (see also question 11 above).
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
Yes. Under art. 77 ff. GDPR, data subjects are entitled to lodge a complaint with a supervisory authority and to exercise their right to an effective judicial remedy if they consider that the processing of their personal data infringes the GDPR (including when they consider that their privacy rights have been infringed). Moreover, in cases where the exercise of their privacy rights has been delayed, limited, or excluded pursuant to art. 2-undecies Privacy Code, privacy rights may be exercised through the supervisory authority, in the manner set out in art. 160 of the Privacy Code.
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Yes. In cases where data subjects consider that the processing of their personal data infringes the GDPR, data subjects are entitled to exercise their right to lodge a complaint with the supervisory authority (see arts. 77 GDPR; 141-144, 153 ff. Privacy Code; 1-9, 18-22 and 24-28 of Law No. 689/81) and to exercise their right to an effective judicial remedy against a data controller and / or data processor and against legally binding decisions of the supervisory authority concerning them (arts. 78 and 79 GDPR; art. 152 Privacy Code; art. 10 of Legislative Decree No.150/2011). Data subjects may exercise these rights on their own or by giving a mandate to bodies, organizations and associations representing the interested parties pursuant to art. 80 GDPR.
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection, privacy and/or cybersecurity laws? Is actual damage required, or is injury of feelings sufficient?
Yes. Pursuant to art. 82 GDPR, data subjects have the right to obtain compensation for material and non-material damages resulting from unlawful processing of their personal data. In application of the rules of compensation for damages set out under arts. 2043 ff. of the Italian Civil Code, it is necessary that the injury to the right to protection of personal data takes the form of an actual and current financial or non-financial damage.
With regard to cybersecurity legislation, Italian law provides for a number of offences: unauthorized access to a computer or telematic system; unauthorized possession of devices, codes and other means of access to computer or telematic systems; damaging computer information, data and programs; computer fraud; misuse and counterfeiting of non-cash means of payment; aiding and abetting. If a crime is reported, the legal system provides for sanctions through the instrument of trial. In addition, it is possible to claim damages through a civil action.
-
How are data protection, privacy and cybersecurity laws enforced?
The application of privacy and data protection legislation is guaranteed by the supervision of the GPDP, as an independent administrative authority entrusted with the general task of ensuring protection of the fundamental rights and freedoms of data subjects. Moreover, non-compliance with the applicable data protection requirements may also be found by the ordinary judicial authority, in the event that data subjects exercise their right to an effective judicial remedy (art. 140-bis ff. Privacy Code).
The steps that Italy’s cybersecurity regulators or data protection authorities must take to conduct investigations and impose penalties depend on the specific laws and regulations being enforced. However, the following stages are generally included in the process:
- Investigation: The authority or regulator opens an investigation into a reported incident or possible breach. This may involve requesting information from the respondent, conducting on-site audits or inspections, and interviewing key individuals;
- Finding of non-compliance: the authority or regulator decides whether there has been a breach of the relevant laws or regulations;
- Imposing penalties: If a violation is found, the regulator or authority may impose penalties, which may include administrative fines or orders to undertake corrective action.
Respondents are entitled to due process, including the right to be notified of the allegations against them, the opportunity to respond to those allegations, and the right to appeal any fines imposed. Depending on the circumstances of the incident and the applicable laws and regulations, various legal standards or criteria may be applied to assess whether a violation has occurred.
-
What is the range of sanctions (including fines and penalties) for violation of data protection, privacy and cybersecurity laws?
The sanctions applicable in the event of a breach of data protection regulations are governed by articles 83 and 84 GDPR and 166 Privacy Code. In principle, sanctions may be of corrective nature (as in the case of warnings) or of pecuniary nature; in the latter case, for the cases referred to in art. 83.4 GDPR, sanctions may be up to 10 000 000 EUR or, for companies, up to 2 % of the total annual worldwide turnover of the previous financial year, whichever is higher, and, for cases referred to in art. 83.5 GDPR, up to 20 000 000 EUR, or for companies, up to 4 % of the total annual worldwide turnover of the previous financial year, whichever is higher. The Privacy Code also provides for some criminal penalties relating to certain actions / processing activities (e.g., unlawful processing of personal data to gain profit of cause damage to data subjects, unlawful communication or dissemination of personal data processed on a large scale to gain profit or to cause harm to data subjects, false declarations to the GPDP). The penalty for these criminal offenses ranges from six months to six years of imprisonment, depending on the nature of the breach.
Additional penalties may derive from the violation of the laws that specifically govern the cybersecurity realm, such as in the context of the PSNC and of the NIS Directive. For violations of the NIS Directive, businesses can be fined up to 10 million EUR or up to 2% of their total global annual turnover of the previous financial year, whichever is higher. This applies to all companies providing essential services or operating digital service providers, including those operating within the PSNC.
It is worth noting that fines and penalties are not the only possible sanctions for violations of data protection, privacy, and cybersecurity laws. Companies may also be subject to legal actions, civil liability claims, and reputational damages.
In summary, the range of sanctions for breaches of data protection, privacy and cybersecurity laws in Italy can be significant and may include fines, legal actions, and reputational damage. The severity of the sanctions depends on the specific law or regulation that has been infringed and the nature of the violation.
-
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
Yes, the “Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679” adopted by the Article 29 Working Party on 3 October 2017.
-
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
Yes. According to art. 78 GDPR, without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established. In Italy, jurisdiction in this area belongs to the ordinary judicial authority pursuant to art. 152 Privacy Code.
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
Yes. There are observable trends in data protection and cybersecurity enforcement activities in Italy. In 2019, the GPDP issued the highest number of fines in the EU for breaches of the GDPR and, at the time of writing, it is the second most active supervisory authority in terms of fines. The GPDP has shown to be especially focused on contrasting unlawful telemarketing practices in relation (among others) to consent and transparency requirements and the engagement of call centers. Most recently, the GPDP has also shown its attention on the protection of children’s privacy rights. This is for example the case of the enforcement actions taken against Tik Tok and Replika concerning data verification requirements. A number of actions have also been taken by the GPDP for the purpose of ensuring compliance with data transfer rules in the aftermath of the Schrems II case, especially in connection with the use of Google Analytics service by website publishers. The GPDP has in fact concluded that the measures adopted by Google to supplement the data transfer instruments did not ensure an adequate level of protection for users’ personal data in the light of the guidance provided by the EDPB through its “Recommendations 1/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (see question 27 above).
Moreover, the Italian government has taken initiatives to strengthen its cybersecurity infrastructure, such as the establishment of the National Cybersecurity Centre (“NCSC”) and the implementation of the PSNC. Various factors, including emerging threats and the geopolitical context, have a significant impact on the cyber landscape. Cyber-attacks on businesses worldwide increased by 42% in the first half of 2022. State-sponsored hacking groups and the use of ransomware have also increased significantly.
In response to these threats, ACN issued Resolution No. 307/2022, which regulates cloud service providers and cloud-based solutions (IaaS, PaaS, SaaS). The requirements focus on two parallel tracks and data processed by providers. They require certifications such as ISO/IEC 27001, ISO 9001, ISO 20000-1, ISO 22301 and compliance with DPCM No. 81/2021. This set of security measures, based on the American NIST framework and adapted for Italy by the National Interuniversity Consortium for Informatics (Consorzio Interuniversitario Nazionale per l’Informatica – “CINI”), effectively equates providers to subjects within the PSNC.
In conclusion, by 2023, cloud providers for the Italian public administration (IaaS, PaaS and SaaS providers) will be required to comply with high international cybersecurity standards and regulations based on the consideration that security threats addressed to these providers may ultimately jeopardize national security. Overall, Italy is increasingly recognizing the importance of cybersecurity and the need for effective enforcement of the applicable requirements so as to ensure protection against cyber threats.
-
Are there any proposals for reforming data protection, privacy and/or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.
Yes. Among the proposals / regulations under review that aim at reforming the current legal framework in EU regarding the protection and circulation of personal data, it is worth mentioning the following: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications – proposal adopted by the European Commission on 10 January 2017); Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (“Data Act”); Proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (“AI Act” – proposal adopted by the European Commission on 21 April 2021); Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space (“EHDS”), which should be finalized and discussed by June 2024; European Cyber Resilience ACT (“CRA”), which should be voted by the European Parliament by March 2023. In addition, the Cyber Solidarity Act, a draft regulation, is expected to be presented by the European Commission on 5 April 2023.
Adopted EU legislation: Regulation of the European Parliament and of the Council on European Data Governance (“Data Governance Act”), which entered into force on 23 June 2022 and will apply from 24 September 2023; Regulation (EU) 2022/1925 of the European Parliament and of the Council (“Digital Market Act”), which entered into force on 1 November 2022 and will be applicable from 2 May 2023; Regulation (EU) 2022/2065 of the European Parliament and of the Council (“Digital Services Act”), which entered into force on 16 November 2022 and will apply from 17 February 2024; the NIS2 Directive, which will be enforceable by October 2024; Directive (EU) 2019/1937 of the European Parliament and of the Council, which focuses on protecting individuals who report breaches of Union law and has been transposed into Italian law through Legislative Decree No. 24/ 2023.
Italy: Data Protection & Cybersecurity
This country-specific Q&A provides an overview of Data Protection & Cybersecurity laws and regulations applicable in Italy.
-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
-
Are there any expected changes in the data protection, privacy and cybersecurity landscape in 2023-2024 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
-
Are there any registration or licensing requirements for entities covered by these laws, and, if so, what are the requirements? Are there any exemptions?
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
-
What are the principles related to the general processing of personal data or PII. For example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction, or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection or disclosure?
-
How do the laws in your jurisdiction address children’s personal data?
-
How do the laws in your jurisdiction address health data?
-
Do the laws include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
-
Does your jurisdiction impose requirements of ‘data protection by design’ or ‘data protection by default’ or similar? If so, please describe the requirement and how businesses typically meet the requirement.
-
Are owners/controllers or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
-
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
-
Do the laws in your jurisdiction require appointment of a data protection officer or a chief information security officer (or other person to be in charge of privacy or data protection at the organization), and what are their legal responsibilities?
-
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
-
Do the laws in your jurisdiction require businesses to provide notice to data subjects of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data, and, if so, what are they? (For example, are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII, or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including the use of tracking technologies such as cookies. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any restrictions on targeted advertising and cross-contextual behavioral advertising. How are these terms or related terms defined?
-
Please describe any laws in your jurisdiction addressing the sale of personal data. How is “sale” or related terms defined, and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing biometrics such as facial recognition. How are these terms defined, and what restrictions are imposed, if any?
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
-
Do the data protection, privacy and cybersecurity laws in your jurisdiction address security breaches, and, if so, how does the law define “security breach”?
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
-
Under what circumstances must a business report security breaches to regulators, to individuals or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator, and what is the typical custom or practice in your jurisdiction?
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cybercrime, such as the payment of ransoms in ransomware attacks?
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
-
Do the laws in your jurisdiction provide individual data privacy rights such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection, privacy and/or cybersecurity laws? Is actual damage required, or is injury of feelings sufficient?
-
How are data protection, privacy and cybersecurity laws enforced?
-
What is the range of sanctions (including fines and penalties) for violation of data protection, privacy and cybersecurity laws?
-
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
-
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
-
Are there any proposals for reforming data protection, privacy and/or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.