The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Last updated March 2020
- General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016), in force since 25 May 2018.
- The Italian Legislative Decree No. 196 of 30 June 2003 (the “Privacy Code”), as amended by the Italian Legislative Decree No. 101 of 10 August 2018.
Garante per la protezione dei dati personali (the “Garante”) (www.garanteprivacy.it).
If applicable: local derogations as permitted by GDPR
Where point (a) of Article 6(1) GDPR applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is considered lawful where the child is at least 14 years old. Where the child is below the age of 14 years, such processing is considered lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.
The Garante will promote the adoption of deontological rules relating to the processing of personal data under Article 6(1)(c) and (e), 9(4) and Chapter IX of the GDPR, which will be binding for all data controllers and processors carrying out the relevant processing activities. So far the Garante has approved the following deontological rules: (i) Deontological rules relating to the processing of personal data in the exercise of journalistic activity; (ii) Deontological rules for processing for statistical purposes or scientific research; (iii) Deontological rules for processing for statistical purposes or scientific research carried out within the national statistical system; (iv) Deontological rules for the processing of personal data carried out for defensive investigations purposes or to assert or defend a right in court, and (v) Deontological rules for processing for purposes of archiving in the public interest or for purposes of historical research.
Processing of special categories of personal data which is necessary for reasons of substantial public interest
Article 2-sexies of the Privacy Code lists some processing of special categories of personal data that shall be considered as necessary for reasons of substantial public interest for the purpose of Article 1(2)(g) GDPR.
Safeguard measures for the processing of health, genetic and biometric data
Article 2-septies of the Privacy Code provides for that the Garante shall issue a general decision setting forth specific safeguard measures (including security measures) that shall be complied with when health, genetic or biometric data are processed.
Exemptions to data subject rights
Article 2-undecies and 2-duodecies of the Privacy Code provide for certain exemptions in respect of data subject rights contained in the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context.
Personal data of deceased persons
Article 2-terdecies provides for that the rights referred to in Articles 15 - 22 GDPR can be exercised by anyone who has an interest or acts as an agent or in the interest of the deceased person or for family reasons that deserve protection, unless the law provides otherwise. In the context of the provision of an information society service, the relevant data subject can notify in writing the provider of such service of its will to prevent the exercise of any or all of such rights after his/her death, without prejudice to the possibility for third parties to nonetheless exercise such rights to protect property interests or to exercise or defend a legal claim.
Processing for the performance of a task carried out by the controller in the public interest
For the purpose of Article 36(5) GDPR, the Garante has the power to issue a general decision relating to the processing for the performance of a task carried out by the controller in the public interest, containing measures and safeguards that the controller shall comply with to protect the data subjects.
Provisions for the other processing situations as provided for in Chapter IX GDPR
The Privacy Code contains specific provisions for some of the other processing situations as provided for in Chapter IX GDPR, i.e. freedom of expression and information; public access to official documents; employment; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Provisions for the processing necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Part II of the Privacy Code contains specific provisions applying to the processing necessary for compliance with a legal obligation (Article 6.1.a GDPR) or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6.1.e GDPR), including specific provisions applying to the processing carried out for health protection purposes.
Data Protection Authority (Garante per la protezione dei dati personali)
Article 2-bis of the Privacy Code sets out the appointment of the Garante as the Italian’s supervisory authority. Articles 153-156 contains details regarding the functions of the Garante and its enforcement powers.
Data protection impact assessments
On 11 October 2018, the Garante issued a general decision pursuant to Article 35, paragraph 4 of the Regulation EU 2016/679 (the “GDPR”), containing a list of processing activities that require a data protection impact assessment. The processing activities mentioned in the list are the following:
- Large-scale evaluation or scoring processing, as well as processing involving the profiling of data subjects and the carrying out of predictive activities, including activities online or through apps, relating to aspects concerning professional performance, economic situation, health, personal preferences or interests, reliability or conduct, location or displacements of the data subject.
- Automated processing for the purpose of taking decisions which have ‘legal effects’ or ‘significant similar effects’ on the data subject, including decisions which prevent the data subject from exercising a right or making use of a good or service or continuing to be party to an existing contract (e.g. screening of a bank’s clients using data recorded in a central risk database).
- Processing involving the systematic use of data for the purpose of observing, monitoring or controlling the data subjects, including the collection of data through networks, whether carried out online or through apps, as well as the processing of unique identifiers capable of identifying users of information society services, including web services, interactive television, etc., with respect to usage habits and viewing data for extended periods. This includes metadata processing, e.g. in telecommunications, banks, etc., carried out not only for profiling, but more generally for organizational reasons, budgetary forecasts, technological upgrades, or to improve networks, as well as to offer anti-fraud, anti-spam, security and other services.
- Large-scale processing of data of highly personal nature (see WP 248, rev. 01): this refers, inter alia, to data relating to family or private life (such as data relating to electronic communications for which confidentiality must be protected), to data affecting the exercise of a fundamental right (such as location data, the collection of which jeopardize the freedom of movement) or whose misuse has a serious impact on the daily life of the data subject (such as financial data which could be used to commit fraud in respect of payments).
- Processing in the context of an employment relationship by means of technological systems (including video-surveillance and geolocation systems) from which it is possible to carry out remote monitoring of employees’ activities (see WP 248, rev. 01, in relation to criteria 3, 7 and 8);
- Non-occasional processing of data relating to vulnerable persons (children, disabled, elderly, mentally ill, patients, asylum seekers);
- Processing carried out using innovative technologies, even with particular organizational measures applied (e.g. IoT; artificial intelligence systems; use of online voice assistants via voice and text scanning; monitoring carried out by wearable devices; proximity tracking such as wi-fi tracking) whenever at least one other criterion identified in WP248, rev. 01 applies;
- Processing involving large-scale data sharing between different controllers on large scale using telematic means;
- Processing of personal data by interconnecting, combining or comparing information, including processing activities involving the cross-referencing of digital goods data with payment data (e.g. mobile payment);
- Processing of special categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR linked to other personal data collected for different purposes.
- Systematic processing of biometric data, considering, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity.
- Systematic processing of genetic data, considering, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity.
The Italian Legislative Decree N. 101 of 10 August 2018, which has reformed the Privacy Code in the light of the GDPR, provides for transitional provisions regulating (i) the efficacy of the general authorizations (e.g. to the processing of sensitive data; genetic data; judicial data) issued by the Garante before the effective date of such Decree, (ii) the efficacy of the Codes of conduct and professional practice approved before the effective date of such Decree; (iii) the proceedings concerning administrative fines started by the Garante before the effective date of such Decree; (iv) the requests and claims filed with the Garante before the effective date of such Decree; and (v) the breach of the criminal law provisions of the Privacy Code committed before the effective date of such Decree.
The Privacy Code applies to the processing of personal data and includes provisions complementing the GDPR in those areas where the GDPR leaves some flexibility to the Member States. It also contains provisions, implementing the e-Privacy Directive, concerning the processing of personal data and the protection of privacy in the electronic communications sector. The territorial scope of the Privacy Code is not specified.
In addition to the administrative fines under the GDPR, the Privacy Code provides for two levels of fines based on Article 83 the GDPR for violations of the provisions of the Privacy Code.
The Privacy Code furthermore stipulates criminal provisions in case of (i) unlawful data processing, (ii) illegal communication and disclosure of data processed on a large scale, (iii) fraudulent acquisition of personal data processed on a large scale; (iv) false declarations to the Garante and interruption of the activities of the Garante.
No derogation from the GDPR under national law.
Main obligations and processing requirements
No derogation from the GDPR under national law, except with regard to the processing activities mentioned in Articles 6(1)(c) and (e), 9(2)(g), 9(4) and Chapter IX of the GDPR (please refer to paragraph “Local derogations as permitted by GDPR” above).
Data subject rights
Derogation from the GDPR
Article 2-undecies of the Privacy Code contains a list of cases in which data subjects cannot exercise their rights under Articles 15-22 of the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context.
Processing by third parties
No derogation from the GDPR under national law.
Transfers out of country
No derogation from the GDPR under national law.
Data Protection Officer
Derogations from the GDPR
Italian judicial authorities will have to appoint a data protection officer in relation to the processing of personal carried out in the content of their activity.
No derogation from the GDPR for the time being.
However, Article 2-septies provides for that the Garante shall issue a general decision setting forth specific safeguard measures (including security measures) that shall be complied with when health, genetic or biometric data are processed.
No derogation from the GDPR.
Automated calling systems without human intervention, email, SMS/MMS, fax or other forms of electronic communications: opt-in (both for natural persons and legal persons); soft opt-in is allowed for e-mail marketing only, provided that the conditions set forth in Article 130(4) of the Privacy Code (which substantially reflects Article 13(2) of e-Privacy Directive) are met.
Specific rules apply to marketing telephone calls and mail marketing.
Storing information or accessing information that is already stored in the terminal equipment of a contracting party or a user, is permitted only on condition that the contracting party or user has given consent after having been informed. Consent is not required if technical storage or access to stored information is: aimed exclusively at carrying out the transmission of a communication on an electronic communication network; strictly necessary to the provision of an information society service that has been explicitly requested by the contracting party or user.
The Garante has issued a general decision on cookies, stating that:
- first-party technical or analytics cookies and less intrusive third-party analytics cookies (e.g. cookies which use IP masking and do not aggregate data obtained from different sources) can be used without the user’s consent, provided that the use of these cookies is mentioned in the privacy notice to the users
- third-party analytics cookies and first-party/third-party profiling cookies can be used only if specific conditions are met and with the user’s prior consent, which can be obtained through a banner/pop-up on a website.
Last updated March 2020
Laws and regulations
- Law Decree n.105 of 21 September 2019, (as converted into Law n. 133 of 18 November 2019) introducing a “National Cyber Security Perimeter” (the “Perimeter Decree”).
- Legislative Decree no. 65 of 18 May 2018 (the "NIS Decree"), implementing the EU NIS Directive.
- The Privacy Code (Legislative Decree No. 196 of 30 June 2003) as amended by the Legislative Decree no. 101 of 10 August 2018.
- The AgID Circular n. 2 of 2017 concerning ICT minimum security requirements for Public Administrations.
- Sector-specific obligations to protect data security are imposed by regulatory authorities (such as Banca d’Italia, Consob and IVASS) on companies such as banks, financial services providers and insurance companies.
- National Cybernetic Protection and Cyber Security Plan of 2017 (published on the Italian Official Journal of 31 May 2017) (“the Plan”).
Anticipated changes to law
- Adoption of regulations and procedures for the functioning of the perimeter of national cyber security, among others, for (i) identifying the Operators, public and private, falling within the scope of the Perimeter Decree; (ii) identifying the criteria for the regular update of the list of network and information systems used by the Operators for the exercise of an essential function of the State and/or the performance of an essential service; (iii) defining the procedures for incident notification; (iv) defining the terms and modalities for the notification of the supply of ICT systems and services to be used on Critical Systems.
- Update of the Plan and adoption of a national cyber security strategy in compliance with all the requirements under Article 7 of the EU NIS Directive.
The NIS Decree sets out security and notification requirements for:
- Operators of Essential Services (‘OES’) / “Operatori di servizi essenziali”, i.e. public or private entity providing key services in energy (electricity, oil and gas), transport (air, rail, maritime and road), banking and financial market infrastructures, health sector, drinking water supply and distribution, and digital infrastructure.
- Digital Service Providers (‘DSP’) / “Fornitori di Servizi Digitali”, i.e. any legal person that provides a digital service, such as an online marketplace, an online search engine or a cloud computing service.
The Perimeter Decree sets out requirements and notification duties for public administrations and both public and private national operators (collectively, the “Operators”) that:
- exercise an essential function of the State, or ensure the provision of an essential service for the maintenance of social, civil and economic activities that are fundamental for the interest of the State, and
- perform such essential functions or services through information systems and information services whose malfunctioning, interruption or improper use could affect the national security (“Critical Systems”).
The NIS Decree designates the following authorities:
1. The NIS competent authorities:
A. For Operators of Essential Services (OES):
- Energy (Electricity, Oil and Gas) and Digital infrastructure
- Ministry of Economic Development (Ministero dello Sviluppo Economico – Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione (ISCTI));
- E-mail: [email protected]
- Transport: (Air, rail, maritime and road)
- Ministry of Infrastrucure and Trasport (Ministero delle Infrastrutture e dei Trasporti – Organo Centrale di Sicurezza);
- E-mail: [email protected]
- Banking and financial market infrastructures
- Ministry of Economy and Finance (Ministero dell’Economia e delle Finanze)
- Health sector
- Ministry of Health (Ministero della Salute)
- Drinking water supply and distribution
- Ministry for Environment, Land and Sea Protection (Ministero dell’ambiente e della tutela del territorio e del mare);
- E-mail: [email protected]
B. For Digital Service Providers(‘DSP’):
- Ministry of Economic Development (Ministero dello Sviluppo Economico – Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione (ISCTI)); E-mail: [email protected]
The NIS competent authorities:
- shall identify the operators of essential services having an establishment in Italy;
- shall, on a regular basis, and at least every two years after 9 May 2018, review and, where appropriate, update the list of identified operators of essential services;
- shall monitor the application of the Decree and have sanctioning and inspection powers;
- may lay down guidelines for the incident notification or request to implement specific security measures.
2. The Single point of contact
The DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department).
E- mail: [email protected]
The single point of contact shall exercise a liaison function to ensure cross-border cooperation of the NIS competent authorities and with relevant authorities in other Member States and with the Cooperation Group established by the EU NIS Directive and the CSIRTs network.
3. Computer security incident response team (CSIRT)
CSIRT will be established by a decree by the President of the Council of Ministers through the merger of the current national CERT and the CERT-PA. Pending the definition of operation and organization of the new CSIRT, the tasks of the CSIRT are jointly performed by CERT and CERT-PA.
The CSIRT (i) defines the procedures for the prevention and management of incidents, (ii) receives incident notifications and notifies to the DIS, as a single point of contact, (iii) provides the notifying party with the information that may facilitate the management of the incident, (iv) notifies to other EU Member States that may be affected by the incident, (v) collaborates in the CSIRT network.
4. Technical Committee
The Technical Committee will be established by a decree to be issued by the President of the Council of Ministers and will have the task to coordinate the cooperation among the NIS competent authorities, the single point of contact and the CSIRT.
The Perimeter Decree designates the following authorities:
- The Perimeter Decree authorities:
- National Office for Assessment and Certification (Centro di valutazione e certificazione nazionale – (CVCN))
- The Competent Ministries for notification purposes:
- Ministry of Economic Development (Ministero dello Sviluppo Economico)
- Ministry of Internal Affairs (Ministero degli Interni)
Italy’s Intelligence System for the Security of the Republic (www.sicurezzanazionale.gov.it) is the collective name given to the authorities and organizations responsible for intelligence policies, intelligence coordination and intelligence operations involved in the implementation of both the NIS Decree and the Perimeter Decree. The Security Intelligence System includes:
- the President of the Council of Ministers;
- the Delegated Authority;
- the CISR – Comitato Interministeriale per la Sicurezza della Repubblica (Interministerial Committee for the Security of the Republic);
- the DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department);
- the AISE – Agenzia informazioni e sicurezza esterna (External Intelligence and Security Agency);
- the AISI – Agenzia informazioni e sicurezza interna (Internal Intelligence and Security Agency).
The NIS Decree requires operators of essential services and digital service providers to take appropriate and proportionate technical-organizational measures for the management of risks and the prevention of IT incidents. With regard to operators of essential services, the Decree also specifies that, in taking such measures, operators must take into due account Cooperation Group’s guidelines. On the other hand, digital service providers need to take into consideration all elements that are specified in the European Commission’s regulation on the modalities of implementation of the EU NIS Directive (Regulation no. 2018/151/EU).
With reference to the incident notification obligations, the Decree provides for that operators of essential services must notify, without undue delay, CSIRT of cyber incidents that have a significant impact on the “continuity of the essential services they provide”. A similar obligation is also provided for by the digital service providers. With regard to incidents that digital service providers are required to notify, EU Regulation no. 2018/151 indicates which parameters should be taken into consideration in order to determine if the impact of a certain incident is relevant and therefore must be notified.
Notwithstanding the above, all the other entities that cannot be classified as operators of essential services or digital service providers may anyway decide to notify about certain incidents voluntarily.
The Perimeter Decree identifies a series of requirements and notification duties that Operators (as defined above) are bound to comply with. Such requirements include the obligation to: (i) notify to the Presidency of the Council of Ministers and to the Minister of Economic Development, and subsequently update, a list of Critical Systems used by the Operator; (ii) notify any incident having an impact on such Critical Systems to the Italian CSIRT (pursuant to Section 9 NIS Directive) according to specific procedures; and (iii) comply with specific measures aimed at guaranteeing high standard of security of the Critical Systems.
In addition to the above, the Perimeter Decree affects also suppliers of goods, ICT systems and services to be used on Critical Systems so that Operators which are planning to purchase such goods and services must notify the National Office for Assessment and Certification (Centro di valutazione e certificazione nazionale – CVCN), for detailed evaluation on security implications.
Furthermore, the Perimeter Decree introduces a duty of collaboration of said suppliers with the CVCN, which may impose them specific conditions and request hardware and software testing on the ground of a risk assessment at their own costs; in such a case, the relevant contracts with the suppliers shall include a condition precedent or a termination clause connected to the outcome of the assessment carried out by the CVCN.
In case of a serious and imminent risk for national security or in cyber-crisis events, the Perimeter Decree gives an immediate authority to the President of the Council of Ministers to partially or wholly de-activate, on a temporary basis, one or more equipment or product that are employed in networks or IT systems that are functional to the provision of the services delivered by the Operators.
The NIS Decree provides for penalties up to EUR 150.000 for non-compliance with the obligations set forth in it.
Failure to comply with the requirements provided for by the Perimeter Decree or to provide full cooperation with the public authorities may trigger administrative fines between 250.000,00 – 1.800.000,00 Euro for each breach, as well as criminal liabilities sanctioned with imprisonment from one to five year and fines up to 64.000,00€.
In case of non-compliance with the data breach notification obligations or the security obligations provided for by the Privacy Code, the Italian Data Protection Authority can apply monetary sanctions.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
There are two main CERTs:
- the national Computer Emergency Response Team (CERT) (www.certnazionale.it) for businesses and citizens, managed by the Italian Ministry of Economic Development
- CERT-PA, managed by the Italian Digital Agency (Agid), for the Italian public administration (www.cert-pa.it).
Both CERTs will be merged to establish the CSIRT.
Is there a national incident management structure for responding to cyber security incidents?
The Nucleo per la sicurezza cibernetica (Cyber Security Center) of the DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department) is the competent body for the management of cyber security incidents.