ITALY

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

DECRETO LEGISLATIVO 30 giugno 2003, n.196 recante il “Codice in materia di protezione dei dati personali” (in S.O n. 123 alla G.U. 29 luglio 2003, n. 174) integrato con le modifiche introdotte dal Decreto legislativo 10 agosto 2018, n. 101

Status: Adopted

SME exception

SPECIFYING PROVISION:

The Italian Supervisory Authority (SA) has the power to simplify procedures for micro, small, and medium-sized enterprises (Art 154-bis Italian Act).

LAWFULNESS OF PROCESSING (ART 6)

SPECIFYING REGULATIONS:

Codes of practice promoted by the Italian SA (subject to public consultation for at least 60 days) will be developed for processing necessary for (1) compliance with a legal obligation a controller is subject to; and (2) the performance of a task carried out in the public interest or in the exercise of official authority vested in a controller (Art 2-quater Italian Act) (Art 6(1)(c) & (e) GDPR).

Child’s consent (Art 8)

SPECIFYING PROVISION:

The processing of personal data of a child for information society services is lawful when the child is 14 years old (Art 2-quinquies Italian Act) (Art 8 GDPR).

Sensitive data (genetic, biometric, and health data) (Art 9(4))

REGULATORY GUIDANCE:

The Italian SA is to issue safeguarding measures to be observed in the processing of genetic, biometric, and health data. This guidance will be published at least every two years (Art 2-sexies Italian Act) (Art 9(4) GDPR).

CCTV (Art 6)

No Deviation

Criminal convictions/security measures (Art 10)

SPECIFYING PROVISION:

Provides areas where processing data related to criminal convictions and crimes or related security measures may be necessary for the assessment, exercise, or defense of a right in court; for mediation aimed at reconciling civil or commercial disputes; and to fulfill legal obligations related to the prevention of anti-money laundering and terrorism using financial systems (Art 2-octies Italian Act) (Art 10 GDPR).

Information obligation (Art 13 & 14)

SPECIFYING PROVISION:

When a curriculum vitae is spontaneously received, a privacy notice may be provided at the time of first useful contact thereafter. To the extent that the legal basis under Art 6(1)(b) GDPR is applicable (processing necessary for a performance of a contract), consent is not required (Art 111-bis Italian Act) (Art 13 GDPR).

Automated individual decision making (Art 22)

No Deviation

Restrictions to data subject’s rights (Art 23)

RESTRICTING PROVISION:

The exercise of the rights referred to in Art 15–22 GDPR are prohibited if such exercise may result in an actual and concrete prejudice to the (1) interests protected in anti-money laundering provisions; (2) interests protected under provisions for victims of extortion; (3) activities of parliamentary inquiries under Art 82 of the Constitution; (4) activities carried out by a public body, other than public economic bodies, related to monetary policy, payment systems, and intermediaries and credit and financial markets; (5) carrying out of defensive investigations or exercising of a right in court; and (6) confidentiality of an employee’s identity related to whistleblowing (Art 2-undecies Italian Act) (Art 23 GDPR).

Joint controller responsibilities (Art 26 (1))

No Deviation

Ad hoc notifications – records of processing activities (Art 30)

No Deviation

Security of processing (Art 32)

No Deviation

Data breach (Art 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

No Deviation

Data protection officer (Art 37(4))

No Deviation

Certification (Art 42)

No Deviation

Data transfer derogations (Art 49(5))

No Deviation

Powers of supervisory authorities (Art 58)

SPECIFYING PROVISIONS:

The Act sets forth additional tasks and powers of the Italian SA (Art 154, 154-bis & 157 Italian Act) (Art 57–58 GDPR).

Class actions (Art 80(2))

No Deviation

Administrative sanctions (Art 83)

No Deviation

Penalties (Art 84)

SPECIFYING PROVISION:

Criminal sanctions are enhanced to include additional offenses such as unlawful communication and disclosure of personal data processed on a large scale, the fraudulent acquisition of personal data subject to large-scale processing, and false statements made to the Italian SA (Art 167, 167-bis, 167-ter & 168 Italian Act) (Art 84 GDPR).

Freedom of expression and information (Art 85)

SPECIFYING REGULATIONS:

Codes of practice promoted by the Italian SA (subject to public consultation for at least 60 days) will be developed in relation to Ch IX GDPR (Art 2-quater Italian Act) (Art 85 GDPR).

HR processing (Art 88)

SPECIFYING REGULATIONS:

Codes of practice promoted by the Italian SA (subject to public consultation for at least 60 days) will be developed in relation to Ch IX GDPR (Art 2-quater Italian Act) (Art 88 GDPR).

Processing for archiving, scientific, historical research, or statistical purposes (Art 89)

SPECIFYING REGULATIONS:

Codes of practice promoted by the Italian SA (subject to public consultation for at least 60 days) will be developed in relation to Ch IX GDPR (Art 2-quater Italian Act) (Art 89 GDPR).

SPECIFYING PROVISION:

The Italian SA may authorize further processing of personal data by third parties for scientific research purposes or statistical purposes (Art 110-bis Italian Act) (Art 89 GDPR).

Obligations of secrecy (Art 90)

SPECIFYING REGULATIONS:

Codes of practice promoted by the Italian SA (subject to public consultation for at least 60 days) will be developed in relation to Ch IX GDPR (Art 2-quater Italian Act) (Art 90 GDPR).

Remarks

The Italian Act changes the term limits for the Italian SA (Garante) members: the president and members shall hold office for a nonrenewable period of seven years (Art 153 Italian Act) (Art 53 GDPR).

 

SPECIFYING PROVISION: Provides areas where processing may be necessary for reasons of substantial public interest such as social welfare activities; maintaining the national registry of drivers and national vehicle archives; citizenship, immigration, and refugee activities; accessing administrative documents and civic access; and facilitating national health services (Art 2-sexies Italian Act) (Art 9(2)(g) GDPR).