Data Law Nav­ig­at­or | Italy

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 29 October 2018

Risk scale

Laws 

  • The Italian Legislative Decree No. 196 of 30 June 2003 (the “Privacy Code”), as amended by the Italian Legislative Decree No. 101 of 10 August 2018.

Authority

Anticipated changes to law

The new EU e-Privacy Regulation is set to replace the EU Directive 2002/58/EC (the e-Privacy Directive). In effect, this will replace the provision of the Privacy Code implementing the e-Privacy Directive. This is still in the legislative process, with no definite timeframe for implementation.

If applicable: stage of legislative implementation of GDPR 

The Italian Legislative Decree N. 101 of 10 August 2018, which has become effective on 19 September 2018, has extensively reformed and reorganized the Privacy Code in the light of the GDPR. 

If applicable: stage of legislative implementation of GDPR

Children. Where point (a) of Article 6(1) GDPR applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is considered lawful where the child is at least 14 years old. Where the child is below the age of 14 years, such processing is considered lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Deontological rules. The Garante will promote the adoption of deontological rules relating to the processing of personal data under Article 6(1)(c) and (e), 9(4) and Chapter IX of the GDPR, which will be binding for all data controllers and processors carrying out the relevant processing activities.

Processing of special categories of personal data which is necessary for reasons of substantial public interest. Article 2-sexies of the Privacy Code lists some processing of special categories of personal data that shall be considered as necessary for reasons of substantial public interest for the purpose of Article 1(2)(g) GDPR.

Safeguard measures for the processing of health, genetic and biometric data. Article 2-septies of the Privacy Code provides for that the Garante shall issue a general decision setting forth specific safeguard measures (including security measures) that shall be complied with when health, genetic or biometric data are processed.

Exemptions to data subject rights. Article 2-undecies and 2-duodecies of the Privacy Code provide for certain exemptions in respect of data subject rights contained in the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context.

Personal data of deceased persons. Article 2-terdecies provides for that the rights referred to in Articles 15 - 22 GDPR can be exercised by anyone who has an interest or acts as an agent or in the interest of the deceased person or for family reasons that deserve protection, unless the law provides otherwise. In the context of the provision of an information society service, the relevant data subject can notify in writing the provider of such service of its will to prevent the exercise of any or all of such rights after his/her death, without prejudice to the possibility for third parties to nonetheless exercise such rights to protect property interests or to exercise or defend a legal claim.

Processing for the performance of a task carried out by the controller in the public interest. For the purpose of Article 36(5) GDPR, the Garante has the power to issue a general decision relating to the processing for the performance of a task carried out by the controller in the public interest, containing measures and safeguards that the controller shall comply with to protect the data subjects.

Provisions for the other processing situations as provided for in Chapter IX GDPR. The Privacy Code contains specific provisions for some of the other processing situations as provided for in Chapter IX GDPR, i.e. freedom of expression and information; public access to official documents; employment; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Provisions for the processing necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Part II of the Privacy Code contains specific provisions applying to the processing necessary for compliance with a legal obligation (Article 6.1.a GDPR) or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6.1.e GDPR), including specific provisions applying to the processing carried out for health protection purposes.

Garante per la protezione dei dati personali. Article 2-bis of the Privacy Code sets out the appointment of the Garante as the Italian’s supervisory authority. Articles 153-156 contains details regarding the Garante’s function and enforcement powers.

Transitional provisions. The Italian Legislative Decree N. 101 of 10 August 2018, which has reformed the Privacy Code in the light of the GDPR, provides for transitional provisions regulating (i) the efficacy of the general authorizations (e.g. to the processing of sensitive data; genetic data; judicial data) issued by the Garante before the effective date of such Decree, (ii) the efficacy of the Codes of conduct and professional practice approved before the effective date of such Decree; (iii) the proceedings concerning administrative fines started by the Garante before the effective date of such Decree; (iv) the requests and claims filed with the Garante before the effective date of such Decree; and (v) the breach of the criminal law provisions of the Privacy Code committed before the effective date of such Decree.  

Scope 

The Privacy Code applies to the processing of personal data and includes provisions complementing the GDPR in those areas where the GDPR leaves some flexibility to the Member States. It also contains provisions, implementing the e-Privacy Directive, concerning the processing of personal data and the protection of privacy in the electronic communications sector. The territorial scope of the Privacy Code is not specified. 

Penalties/enforcement

In addition to the administrative fines under the GDPR, the Privacy Code provides for two levels of fines based on Article 83 the GDPR for violations of the provisions of the Privacy Code.

The Privacy Code furthermore stipulates penal provisions in case of (i) unlawful data processing, (ii) illegal communication and disclosure of data processed on a large scale, (iii) fraudulent acquisition of personal data processed on a large scale; (iv) false declarations to the Garante and interruption of the activities of the Garante.   

Registration / notification 

No derogation from the GDPR under national law.

Main obligations and processing requirements

No derogation from the GDPR under national law, except with regard to the processing activities mentioned in Articles 6(1)(c) and (e), 9(2)(g), 9(4) and Chapter IX of the GDPR (please refer to paragraph “Local derogations as permitted by GDPR” above).

Data subject rights

Derogations from the GDPR

Article 2-undecies of the Privacy Code contains a list of cases in which data subjects cannot exercise their rights under Articles 15-22 of the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context. 

Processing by third parties

No derogation from the GDPR under national law.

Transfers out of country

No derogation from the GDPR under national law. 

Data Protection Officer

Derogations from the GDPR

Italian judicial authorities will have to appoint a data protection officer in relation to the processing of personal carried out in the content of their activity.

Security

No derogation from the GDPR for the time being. However, Article 2-septies provides for that the Garante shall issue a general decision setting forth specific safeguard measures (including security measures) that shall be complied with when health, genetic or biometric data are processed. 

Breach notification

No derogation from the GDPR.

Direct marketing

Automated calling systems without human intervention, email, SMS/MMS, fax or other forms of electronic communications: opt-in (both for natural persons and legal persons); soft opt-in is allowed for e-mail marketing only, provided that the conditions set forth in Article 130(4) of the Privacy Code (which substantially reflects Article 13(2) of e-Privacy Directive) are met.

Specific rules apply to marketing telephone calls and mail marketing.

Cookies

Storing information or accessing information that is already stored in the terminal equipment of a contracting party or a user, is permitted only on condition that the contracting party or user has given consent after having been informed. Consent is not required if technical storage or access to stored information is: aimed exclusively at carrying out the transmission of a communication on an electronic communication network; strictly necessary to the provision of an information society service that has been explicitly requested by the contracting party or user. 

The Garante has issued a general decision on cookies, stating that:

  • first-party technical or analytics cookies and less intrusive third-party analytics cookies (e.g. cookies which use IP masking and do not aggregate data obtained from different sources) can be used without the user’s consent, provided that the use of these cookies is mentioned in the privacy notice to the users
  • third-party analytics cookies and first-party/third-party profiling cookies can be used only if specific conditions are met and with the user’s prior consent, which can be obtained through a banner/pop-up on a website.

Useful links

 

Cyber Security

Last updated 25 April 2018

Risk scale

Laws and regulations

  • The Privacy Code (Legislative Decree No. 196 of 30 June 2003) requires data controllers to implement minimum-security measures to protect personal data. Higher standards are imposed on companies controlling more critical types of data (e.g. sensitive data or genetic data) or providing certain type of services (i.e. electronic communications services providers). Public entities must implement additional security measures required by the Italian Digital Agency (Agid) set out in the circular letter of 18 April 2017. 
  • Sector-specific obligations to protect data security are imposed by regulatory authorities (such as Banca d’Italia, Consob and IVASS) on companies such as banks, financial services providers and insurance companies. 
  • The Italian government has recently approved a new national plan for cyber security (published on the Italian Official Journal of 31 May 2017) (“the Plan”), based on the Decree of the President of the Ministers’ Council of 17 February 2017 (“the Decree”).

Anticipated changes to law

  • The EU NIS Directive has not yet been transposed into Italian law. 
  • On 25 October 2017, the Italian Parliament issued Law No. 163, delegating the Italian government to transpose the EU NIS Directive into Italian law within four months of the effective date of the same law.

Application

The Decree allocates responsibilities for cyber protection and national computer security within the Italian public administration, and sets out the guidelines to be followed to achieve national security. It also prescribes the obligations applicable to private operators (including providers of electronic communications networks and services, suppliers of digital services, providers managing critical infrastructures). 

The Plan sets out a roadmap and defines the main goals for enhancing and strengthening the Italian cyber security strategy.

Authority

There is no single competent authority for network and information security.

Italy’s Intelligence System for the Security of the Republic (www.sicurezzanazionale.gov.it) is the collective name given to the authorities and organisations responsible for intelligence policies, intelligence coordination and intelligence operations. The Security Intelligence System includes:

  • the President of the Council of Ministers
  • the Delegated Authority
  • the CISR – Comitato Interministeriale per la Sicurezza della Repubblica (Interministerial Committee for the Security of the Republic)
  • the DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department)
  • the AISE – Agenzia informazioni e sicurezza esterna (External Intelligence and Security Agency)
  • the AISI – Agenzia informazioni e sicurezza interna (Internal Intelligence and Security Agency).

Key obligations

Providers of publicly available electronic communications networks or services, providers of essential services (as defined in Annex II of the EU NIS Directive), providers of digital services (as defined in Annex III of the EU NIS Directive) and operators of critical national infrastructures are required to:

  • notify the competent authorities of any significant event of data breach
  • adopt best practices to maintain cyber security
  • provide information to the competent authorities and allow such authorities to access their security operation centres and other databases which are relevant for cyber security
  • collaborate with the competent authorities for the management of cyber security emergencies.

Penalties/enforcement

The Decree does not provide for penalties for non-compliance with the above-mentioned obligations applying to the private sector. However, the Decree states that any non-compliance with the above-mentioned obligations can be taken into account in the context of the granting of a security qualification to a private operator.  

In case of non-compliance with the data breach notification obligations or the security obligations provided for by the Privacy Code, the Italian Data Protection Authority can apply monetary sanctions. Failure to adopt the minimum-security measures provided for by the Privacy Code may be subject to criminal law sanctions.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

There are two main CERTs:

  • the national Computer Emergency Response Team (CERT) (www.certnazionale.it) for businesses and citizens, managed by the Italian Ministry of Economic Development
  • CERT-PA, managed by the Italian Digital Agency (Agid), for the Italian public administration (www.cert-pa.it).

There is no CSIRT.

Is there a national incident management structure for responding to cyber security incidents?

Yes.

The Nucleo per la sicurezza cibernetica (Cyber Security Center) of the DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department) is the competent body for the management of cyber security incidents.

Useful links

 

< back to Overview

Authors

Picture of Italo de Feo
Italo de Feo
Partner
Rome
Picture of Marco Leone
Marco Leone
Counsel
Rome