New Data Protection Law in the Enclave of San Marino

San Marino Law no. 171 of 21 December 2018 is a data protection law that was recently passed in the European microstate of San Marino in 2018. Although the country of San Marino has various monetary agreements with the European Union, the EU was not created with microstates in mind, and the country is subsequently not formally a part of the EU. To this point, San Marino does not fall under the jurisdiction of the General Data Protection Regulation or GDPR, creating a need for a data protection law that would protect the personal data of data subjects within the country. This need was fulfilled with the enactment of San Marino Law no. 171 of 21 December 2018, as the law establishes the legal basis for the collection, processing, use, disclosure, and transfer of personal data within the country.

How are data controllers and processors defined under San Marino Law no. 171 of 21 December 2018?

Under San Marino Law no. 171 of 21 December 2018, a data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” Conversely, a data processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Moreover, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.”

What are the responsibilities of data controllers and processors under San Marino Law no. 171 of 21 December 2018?

Under San Marino Law no. 171 of 21 December 2018, data controllers, processors, and associated third parties with the country have the following responsibilities as it pertains to data processing activities:

• The processing of personal data may only be lawful if said processing is done so in accordance with various principles set forth in the law, such as if “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, among others.
• Personal data must be collected and processed in a manner that is fair, law, and transparent.
  “Where the processing for a purpose other than that for which the personal data have been collected is not based on the conditions referred to in the previous paragraph, the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account.”
• Personal data may only be collected or processed in accordance with the expressed consent of applicable data subjects.
• When collecting personal data from data subjects, data controllers and processors must provide said data subjects with various information concerning the purpose for which their data is to be collected or processed, among other pertinent information.
• The processing of sensitive personal data, such as personal data relating to ethnic or racial origin, is prohibited under the law, subject to certain exceptions. Such exceptions include instances in which an applicable data subject consents to the collection and processing of their personal data, among others.
• The collection and processing of personal data concerning criminal convictions or offenses may only be done so under the “under the control of official authority.”

What are the rights of data subjects under the San Marino Law no. 171 of 21 December 2018?

Under San Marino Law no. 171 of 21 December 2018, data subjects within the country have the following data protection rights:

• The right of access.
• The right to be informed.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• “The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

In terms of punishments with respect to violations of the law, San Marino Law no. 171 of 21 December 2018 is enforced by the country’s Data Protection Authority. As such, San Marino’s Data Protection Authority can impose a variety of penalties against data controllers and processors who fail to comply with the law. Such penalties include the following:

• “Administrative fines up to ten million euros ($11,291,000), or for undertakings, up to 4 % of the total annual turnover in the preceding financial year, whichever is higher.”
• “Administrative fines up to five million euros ($5,644,325), or in the case of an undertaking, up to 2 % of the total annual turnover of the previous financial year, whichever is higher.”
• “A temporary or definitive limitation on processing or the suspension of data flows by the Data Protection Authority.”

As San Marino is an enclave surrounded by Italy, passing a data protection law that would provide data subjects within San Marino with a similar level of protection that is afforded to EU members states under the General Data Protection Regulation was very much needed. Despite the fact that San Marino is not formally a part of their European Union, the economic relationship that they have with the EU dictates that any personal data that is collected or processed within the country must be done so in accordance with strict regulations and standards. Such regulations and standards were achieved in the passing of San Marino Law no. 171 of 21 December 2018, as the law sets forth steep punishments for data controllers and processors who fail to comply.