New Amendments to Data Protection Law in Italy

Italy’s Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679 or the Code for short is a data protection law that was recently amended in 2018. As Italy is a member of the European Union, the Code was amended for the purposes of implementing the provisions of the General Data Protection Regulation or GDPR into Italian law. Subsequently, the Code and the EU’s GDPR law work in conjunction with one another to establish the legal framework for which personal data may be processed within the country of Italy, as well as the punishments that can be imposed against individuals and organizations who fail to comply with the law.

What are the primary differences between the Code and the EU’s GDPR law?

While the rights of Italian citizens and the requirements of data controllers and processors remain the same under both the Code and the EU’s GDPR law, one of the primary differences between the two pieces of legislation is the age of consent as it pertains to the legality of data processing activities. Under the EU’s GDPR law, the age of consent with respect to data collection and processing is 18. Conversely, the Code “provides that children who have reached the age of 14 years can validly express their consent to data processing in relation to the offer of information society services. Where the child is below the age of 14 years, such consent must be provided by the holder of parental responsibility.”

Conversely, the two laws also vary from one another as it relates to the regulation and enforcement of the law. Under the Code, Italy’s data protection authority, called the ‘Garante’ for short, is authorized to carry out various functions as it pertains to the enforcement of the law. These functions are:

• To supervise data processing activities to ensure the respect of data protection rules;
• To take action upon complaints lodged by data subjects;
• To lay down ethical rules for the personal data processing carried out both by public and private bodies in the employment context;
• To report crimes that can be prosecuted ex officio and detected in the exercise of its powers and functions;
• To mandate specific measures to data controllers and processors to correctly process personal data;
• To prohibit or block data processing activities that may constitute a risk for data subjects;
• To adopt resolutions and draft opinions;
• To suggest to the Italian Government and the Italian Parliament the necessity to adopt specific legislative/regulatory measures;

Additionally, there are some variations between the two laws as it relates to the processing of special categories of personal data. Under the EU’s GDPR law, public entities such as universities and research institutions are permitted to disclose and disseminate personal data, if such disclosure or dissemination is in line with the scientific and technological research goals of said institutions. However, under the Code, these exceptions do not apply to special categories of personal data, such a biometric, health, or genetic data, or to personal data concerning criminal offenses or convictions as it pertains to data controllers and processors operating within Italy.

What are the punishments for violating the provisions of the Code?

Under the Code, data controllers and processors within Italy who violate the law are subject to the same fines and penalties that other such organizations operating within EU member states are also subject to. Such sanctions include “administrative fines up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year if higher”, depending on the scope and severity of the offense in question. Furthermore, the Garante also has the authority to impose penalties against data controllers and processors within Italy, which include a term of imprisonment of up to six years, administrative sanctions, and further monetary penalties. Such actions that could lead to such punishments include unlawfully communicating or transmitting personal data, or obtaining personal data under unlawful circumstances, among others.

Through the amending of Italy’s Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679 in 2018, Italy was able to further guarantee the data protection and personal privacy rights of their respective citizens. As the Code implements the various provisions of the EU’s GDPR law into Italian law, data controllers and processors who carry out operations with Italy stand to face sanctions on two separate fronts should they violate the rights of Italian citizens under either legal statute. In this way, the European Union continues to lead the international charge for placing the utmost importance on data protection and personal privacy.