Home / Publications / Data Law Navigator | Italy

Data Law Navigator | Italy

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 11 July 2019

Risk scale

Risk Scale Orange

Laws 

  • The Italian Legislative Decree No. 196 of 30 June 2003 (the “Privacy Code”), as amended by the Italian Legislative Decree No. 101 of 10 August 2018.

Authority

Anticipated changes to law

Children.

Where point (a) of Article 6(1) GDPR applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is considered lawful where the child is at least 14 years old. Where the child is below the age of 14 years, such processing is considered lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Deontological rules.

The Garante will promote the adoption of deontological rules relating to the processing of personal data under Article 6(1)(c) and (e), 9(4) and Chapter IX of the GDPR, which will be binding for all data controllers and processors carrying out the relevant processing activities. So far the Garante has approved the following deontological rules: (i) Deontological rules relating to the processing of personal data in the exercise of journalistic activity; (ii) Deontological rules for processing for statistical purposes or scientific research; (iii) Deontological rules for processing for statistical purposes or scientific research carried out within the national statistical system; (iv) Deontological rules for the processing of personal data carried out to carry out defensive investigations or to assert or defend a right in court, and (v) Deontological rules for processing for purposes of archiving in the public interest or for purposes of historical research.

Processing of special categories of personal data which is necessary for reasons of substantial public interest.

Article 2-sexies of the Privacy Code lists some processing of special categories of personal data that shall be considered as necessary for reasons of substantial public interest for the purpose of Article 1(2)(g) GDPR.

Safeguard measures for the processing of health, genetic and biometric data.

Article 2-septies of the Privacy Code provides for that the Garante shall issue a general decision setting forth specific safeguard measures (including security measures) that shall be complied with when health, genetic or biometric data are processed.

Exemptions to data subject rights.

Article 2-undecies and 2-duodecies of the Privacy Code provide for certain exemptions in respect of data subject rights contained in the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context.

Personal data of deceased persons.

Article 2-terdecies provides for that the rights referred to in Articles 15 - 22 GDPR can be exercised by anyone who has an interest or acts as an agent or in the interest of the deceased person or for family reasons that deserve protection, unless the law provides otherwise. In the context of the provision of an information society service, the relevant data subject can notify in writing the provider of such service of its will to prevent the exercise of any or all of such rights after his/her death, without prejudice to the possibility for third parties to nonetheless exercise such rights to protect property interests or to exercise or defend a legal claim.

Processing for the performance of a task carried out by the controller in the public interest.

For the purpose of Article 36(5) GDPR, the Garante has the power to issue a general decision relating to the processing for the performance of a task carried out by the controller in the public interest, containing measures and safeguards that the controller shall comply with to protect the data subjects.

Provisions for the other processing situations as provided for in Chapter IX GDPR.

The Privacy Code contains specific provisions for some of the other processing situations as provided for in Chapter IX GDPR, i.e. freedom of expression and information; public access to official documents; employment; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Provisions for the processing necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Part II of the Privacy Code contains specific provisions applying to the processing necessary for compliance with a legal obligation (Article 6.1.a GDPR) or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6.1.e GDPR), including specific provisions applying to the processing carried out for health protection purposes.

Garante per la protezione dei dati personali.

Article 2-bis of the Privacy Code sets out the appointment of the Garante as the Italian’s supervisory authority. Articles 153-156 contains details regarding the Garante’s function and enforcement powers.

Data protection impact assessments.

On 11 October 2018, the Garante issued a general decision pursuant to Article 35, paragraph 4 of the Regulation EU 2016/679 (the “GDPR”), containing a list of processing activities that require a data protection impact assessment. The processing activities mentioned in the list are the following:

  1. Large-scale evaluation or scoring processing, as well as processing involving the profiling of data subjects and the carrying out of predictive activities, including activities online or through apps, relating to aspects concerning professional performance, economic situation, health, personal preferences or interests, reliability or conduct, location or displacements of the data subject.
  2. Automated processing for the purpose of taking decisions which have ‘legal effects’ or ‘significant similar effects’ on the data subject, including decisions which prevent the data subject from exercising a right or making use of a good or service or continuing to be party to an existing contract (e.g. screening of a bank’s clients using data recorded in a central risk database).
  3. Processing involving the systematic use of data for the purpose of observing, monitoring or controlling the data subjects, including the collection of data through networks, whether carried out online or through apps, as well as the processing of unique identifiers capable of identifying users of information society services, including web services, interactive television, etc., with respect to usage habits and viewing data for extended periods. This includes metadata processing, e.g. in telecommunications, banks, etc., carried out not only for profiling, but more generally for organisational reasons, budgetary forecasts, technological upgrades, or to improve networks, as well as to offer anti-fraud, anti-spam, security and other services.
  4. Large-scale processing of data of highly personal nature (see WP 248, rev. 01): this refers, inter alia, to data relating to family or private life (such as data relating to electronic communications for which confidentiality must be protected), to data affecting the exercise of a fundamental right (such as location data, the collection of which jeopardises freedom of movement) or whose misuse has a serious impact on the daily life of the data subject (such as financial data which could be used to commit fraud in respect of payments).
  5. Processing in the context of an employment relationship by means of technological systems (including video-surveillance and geolocation systems) from which it is possible to carry out remote monitoring of employees’ activities (see WP 248, rev. 01, in relation to criteria 3, 7 and 8);
  6. Non-occasional processing of data relating to vulnerable persons (children, disabled, elderly, mentally ill, patients, asylum seekers);
  7. Processing carried out using innovative technologies, even with particular organisational measures applied (e.g. IoT; artificial intelligence systems; use of online voice assistants via voice and text scanning; monitoring carried out by wearable devices; proximity tracking such as wi-fi tracking) whenever at least one other criterion identified in WP248, rev. 01 applies;
  8. Processing involving large-scale data sharing between different controllers on large scale using telematic means;
  9. Processing of personal data by interconnecting, combining or comparing information, including processing activities involving the cross-referencing of digital goods data with payment data (e.g. mobile payment);
  10. Processing of special categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR linked to other personal data collected for different purposes.
  11. Systematic processing of biometric data, considering, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity.
  12. Systematic processing of genetic data, considering, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity.
Transitional provisions.

The Italian Legislative Decree N. 101 of 10 August 2018, which has reformed the Privacy Code in the light of the GDPR, provides for transitional provisions regulating (i) the efficacy of the general authorizations (e.g. to the processing of sensitive data; genetic data; judicial data) issued by the Garante before the effective date of such Decree, (ii) the efficacy of the Codes of conduct and professional practice approved before the effective date of such Decree; (iii) the proceedings concerning administrative fines started by the Garante before the effective date of such Decree; (iv) the requests and claims filed with the Garante before the effective date of such Decree; and (v) the breach of the criminal law provisions of the Privacy Code committed before the effective date of such Decree.

Scope 

The Privacy Code applies to the processing of personal data and includes provisions complementing the GDPR in those areas where the GDPR leaves some flexibility to the Member States. It also contains provisions, implementing the e-Privacy Directive, concerning the processing of personal data and the protection of privacy in the electronic communications sector. The territorial scope of the Privacy Code is not specified. 

Penalties/enforcement

In addition to the administrative fines under the GDPR, the Privacy Code provides for two levels of fines based on Article 83 the GDPR for violations of the provisions of the Privacy Code.

The Privacy Code furthermore stipulates penal provisions in case of (i) unlawful data processing, (ii) illegal communication and disclosure of data processed on a large scale, (iii) fraudulent acquisition of personal data processed on a large scale; (iv) false declarations to the Garante and interruption of the activities of the Garante.   

Registration / notification 

No derogation from the GDPR under national law.

Main obligations and processing requirements

No derogation from the GDPR under national law, except with regard to the processing activities mentioned in Articles 6(1)(c) and (e), 9(2)(g), 9(4) and Chapter IX of the GDPR (please refer to paragraph “Local derogations as permitted by GDPR” above).

Data subject rights

Derogations from the GDPR

Article 2-undecies of the Privacy Code contains a list of cases in which data subjects cannot exercise their rights under Articles 15-22 of the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context. 

Processing by third parties

No derogation from the GDPR under national law.

Transfers out of country

No derogation from the GDPR under national law. 

Data Protection Officer

Derogations from the GDPR

Italian judicial authorities will have to appoint a data protection officer in relation to the processing of personal carried out in the content of their activity.

Security

No derogation from the GDPR for the time being. However, Article 2-septies provides for that the Garante shall issue a general decision setting forth specific safeguard measures (including security measures) that shall be complied with when health, genetic or biometric data are processed. 

Breach notification

No derogation from the GDPR.

Direct marketing

Automated calling systems without human intervention, email, SMS/MMS, fax or other forms of electronic communications: opt-in (both for natural persons and legal persons); soft opt-in is allowed for e-mail marketing only, provided that the conditions set forth in Article 130(4) of the Privacy Code (which substantially reflects Article 13(2) of e-Privacy Directive) are met.

Specific rules apply to marketing telephone calls and mail marketing.

Cookies

Storing information or accessing information that is already stored in the terminal equipment of a contracting party or a user, is permitted only on condition that the contracting party or user has given consent after having been informed. Consent is not required if technical storage or access to stored information is: aimed exclusively at carrying out the transmission of a communication on an electronic communication network; strictly necessary to the provision of an information society service that has been explicitly requested by the contracting party or user. 

The Garante has issued a general decision on cookies, stating that:

  • first-party technical or analytics cookies and less intrusive third-party analytics cookies (e.g. cookies which use IP masking and do not aggregate data obtained from different sources) can be used without the user’s consent, provided that the use of these cookies is mentioned in the privacy notice to the users
  • third-party analytics cookies and first-party/third-party profiling cookies can be used only if specific conditions are met and with the user’s prior consent, which can be obtained through a banner/pop-up on a website.

Useful links

 

Cyber Security

Last updated 11 July 2019

Risk scale

Risk Scale Orange

Laws and regulations

  • Legislative Decree no. 65 of 18 May 2018 (the "Decree"), implementing the EU NIS Directive.
  • The Privacy Code (Legislative Decree No. 196 of 30 June 2003) as amended by the Legislative Decree no. 101 of 10 August 2018.
  • The AgID Circular n. 2 of 2017 concerning ICT minimum security requirements for Public Administrations.
  • Sector-specific obligations to protect data security are imposed by regulatory authorities (such as Banca d’Italia, Consob and IVASS) on companies such as banks, financial services providers and insurance companies.
  • National Cybernetic Protection and Cyber Security Plan of 2017 (published on the Italian Official Journal of 31 May 2017) (“the Plan”).

Anticipated changes to law

  • Adoption of a decree that will regulate the organisation of the new “CSIRT” and the “Technical Committee”, as both defined above.
  • Update of the Plan and adoption of a national cyber security strategy in compliance with all the requirements under Article 7 of the EU NIS Directive.

Application

The Decree sets out security and notification requirements for:

  • Operators of Essential Services (‘OES’) / “Operatori di servizi essenziali”, i.e. public or private entity providing key services in energy (electricity, oil and gas), transport (air, rail, maritime and road), banking and financial market infrastructures, health sector, drinking water supply and distribution, and digital infrastructure.
  • Digital Service Providers (‘DSP’) / “Fornitori di Servizi Digitali”, i.e. any legal person that provides a digital service, such as an online marketplace, an online search engine or a cloud computing service.

Authority

The Decree designates the following authorities:

1. the NIS competent authorities:

A. For Operators of Essential Services (OES):

Energy (Electricity, Oil and Gas) and Digital infrastructure

  • Ministry of Economic Development (Ministero dello Sviluppo Economico – Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione (ISCTI)); E-mail: [email protected]

Transport: (Air, rail, maritime and road)

  • Ministry of Infrastrucure and Trasport (Ministero delle Infrastrutture e dei Trasporti – Organo Centrale di Sicurezza); E-mail: [email protected]

Banking and financial market infrastructures

  • Ministry of Economy and Finance (Ministero dell’Economia e delle Finanze)

Health sector

  • Ministry of Health (Ministero della Salute)

Drinking water supply and distribution

  • Ministry for Environment, Land and Sea Protection (Ministero dell’ambiente e della tutela del territorio e del mare); E-mail: [email protected]

B.For Digital Service Providers(‘DSP’):

  • Ministry of Economic Development (Ministero dello Sviluppo Economico – Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione (ISCTI)); E-mail: [email protected]

The NIS competent authorities:

  • shall identify the operators of essential services having an establishment in Italy;
  • shall, on a regular basis, and at least every two years after 9 May 2018, review and, where appropriate, update the list of identified operators of essential services;
  • shall monitor the application of the Decree and have sanctioning and inspection powers;
  • may lay down guidelines for the incident notification or request to implement specific security measures.
2. The Single point of contact

The DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department).
E- mail: [email protected]

The single point of contact shall exercise a liaison function to ensure cross-border cooperation of the NIS competent authorities and with relevant authorities in other Member States and with the Cooperation Group established by the EU NIS Directive and the CSIRTs network.

3. Computer security incident response team (CSIRT)

CSIRT will be established by a decree by the President of the Council of Ministers through the merger of the current national CERT and the CERT-PA. Pending the definition of operation and organization of the new CSIRT, the tasks of the CSIRT are jointly performed by CERT and CERT-PA.

The CSIRT (i) defines the procedures for the prevention and management of incidents, (ii) receives incident notifications and notifies to the DIS, as a single point of contact, (iii) provides the notifying party with the information that may facilitate the management of the incident, (iv) notifies to other EU Member States that may be affected by the incident, (v) collaborates in the CSIRT network.

4. Technical Committee

The Technical Committee will be established by a decree to be issued by the President of the Council of Ministers, and will have the task to coordinate the cooperation among the NIS competent authorities, the single point of contact and the CSIRT.

***

Italy’s Intelligence System for the Security of the Republic (www.sicurezzanazionale.gov.it) is the collective name given to the authorities and organisations responsible for intelligence policies, intelligence coordination and intelligence operations. The Security Intelligence System includes:

  • the President of the Council of Ministers;
  • the Delegated Authority;
  • the CISR – Comitato Interministeriale per la Sicurezza della Repubblica (Interministerial Committee for the Security of the Republic);
  • the DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department);
  • the AISE – Agenzia informazioni e sicurezza esterna (External Intelligence and Security Agency);
  • the AISI – Agenzia informazioni e sicurezza interna (Internal Intelligence and Security Agency).

Key obligations

The Decree requires operators of essential services and digital service providers to take appropriate and proportionate technical-organisational measures for the management of risks and the prevention of IT incidents. With regard to operators of essential services, the Decree also specifies that, in taking such measures, operators must take into due account Cooperation Group’s guidelines. On the other hand, digital service providers need to take into consideration all elements that are specified in the European Commission’s regulation on the modalities of implementation of the EU NIS Directive (Regulation no. 2018/151/EU).

With reference to the incident notification obligations, the Decree provides for that operators of essential services must notify, without undue delay, CSIRT of cyber incidents that have a significant impact on the “continuity of the essential services they provide”. A similar obligation is also provided for by the digital service providers. With regard to incidents that digital service providers are required to notify, EU Regulation no. 2018/151 indicates which parameters should be taken into consideration in order to determine if the impact of a certain incident is relevant and therefore must be notified.

Notwithstanding the above, all the other entities that cannot be classified as operators of essential services or digital service providers may anyway decide to notify about certain incidents voluntarily.

Penalties/enforcement

The Decree provides for penalties up to EUR 150.000 for non-compliance with the obligations set forth in the Decree.

In case of non-compliance with the data breach notification obligations or the security obligations provided for by the Privacy Code, the Italian Data Protection Authority can apply monetary sanctions.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
There are two main CERTs:

  • the national Computer Emergency Response Team (CERT) (www.certnazionale.it) for businesses and citizens, managed by the Italian Ministry of Economic Development
  • CERT-PA, managed by the Italian Digital Agency (Agid), for the Italian public administration (www.cert-pa.it).

Both CERTs will be merged to establish the CSIRT.

Is there a national incident management structure for responding to cyber security incidents?

Yes.

The Nucleo per la sicurezza cibernetica (Cyber Security Center) of the DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department) is the competent body for the management of cyber security incidents.

Useful links

 

< back to Overview

Authors

Picture of Italo de Feo
Italo de Feo
Partner
Rome