Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by Maria Chiara Meneghetti on giugno 1, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.

What does “transfer of personal data” mean?

The GDPR does not give a precise definition of what “transfer” means. Reading the dispositions that regulate transfers of personal data (Arts. 44-50 of the GDPR), it can be inferred that by “transfer” the GDPR indicates a movement of personal data from a controller or processor of personal data inside the EU, to a controller or processor outside the EU.

The GDPR broadens the scope of application of the regulation. Firstly, it also includes those cases when personal data is transferred to an international organisation. Secondly, the GDPR requires the rules on transfer to be applied not only to “direct” data transfers from a European to a non-European country, but also to successive transfers, namely when the subject who the data have initially been transferred to, subsequently transfers them to other subjects.

What is the procedure a controller or a processor must follow when he/she wishes to transfer personal data?

The data controller or data processor may carry out a transfer of personal data, only when they fulfil one of the conditions provided for in articles 45-49 of the GDPR.

What “mechanisms” may be used?

The ”mechanisms” listed in articles 45-49, which controllers and processors may use to transfer personal data, partially cover the list of conditions already provided for by the Italian Privacy Code or produced by Working Party Art. 29. By way of example, a transfer will be legitimate in cases in which; the third country personal data are being transferred to has obtained an adequacy decision from the European Commission; it is conditional upon appropriate safeguards, such as the use of standard contractual clauses (SCCs) between sender and receiver, or, for intra-group transfers, the adoption of binding corporate rules (BCRs) by the group of enterprises; the sender fulfils one of the derogations set out in art. 49 of the GDPR (e.g. he/she has collected the data subject’s consent).

What changes with the GDPR?

On the one hand, the GDPR has made available new “instruments” for data transfers and on the other it lays out the different conditions according to a scale of importance: the adequacy decision becomes the pillar of the new system; controllers or processors will only have to adopt one of the other alternatives offered by the GDPR in its absence.

In the context of appropriate safeguards, binding corporate rules take on their own importance and are regulated in detail in art. 47 of the GDPR, which lists their minimum content. Art. 46, on the other hand, makes changes to the list of the legal grounds which can be used for a transfer, backing up SCCs and BCRs with: the adoption of a “legally binding and enforceable instrument between public authorities or bodies”; signing an approved code of conduct or subscribing to certification mechanism. Moreover, SCCs, which were formerly only valid when adopted by the European Commission, may henceforth also be adopted by a National Control Authority (provided they are then approved by the European Commission or submitted to the consistency mechanism referred to in art. 63 of the GDPR).

Finally, art. 49 specifies the other possible “derogations for specific situations”, which the sender can use in the absence of both an adequacy decision and an appropriate safeguard.

Are already adopted adequacy decisions still valid?

The GDPR specifies that the adequacy decisions adopted on the basis of directive 95/46/CE remain valid until they are modified, substituted or revoked by a European Commission decision, for example, following a periodic four year review required for all adequacy decisions. Therefore, all adequacy decisions adopted up to the present time remain valid for the moment.

Already adopted adequacy decisions may be consulted HERE.

What SCCs can currently be used?

With regard to standard contractual clauses, the European Commission has so far issued model clauses for data transfers from data controllers in the EU to data controllers established outside the EU and it has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU, which can be found HERE.

In addition, a model SCC for the transfer of data from a processor established in the EU to another processor established in a third country is currently under preparation.

 

 

 

posted by Laura Greco on maggio 15, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.

In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.

What is the Data Protection Impact Assessment?

The new Regulation on data protection (GDPR), obliges controllers to assess the risk to which their processing is likely to expose personal data and consequently the rights and freedoms of natural persons. The Data Protection Impact Assessment, (“DPIA”), is a “continuous process”(an “on-going process) which should be reviewed continuously and whenever there are substantial changes, which ultimately results in a list of activities carried out to assess risk deriving from processing and the means, tools and measures adopted to identify and minimise this risk.

When is it necessary to do a DPIA?

The controller must do a DPIA before beginning any kind of processing, namely in as early as possible a stage of the design of the processing operation where it is still possible to modify and take measures so as to mitigate the likely risk emerging from the assessment. Indeed, this obligation is part of the proactive security approach adopted by the GDPR, consisting of a series of preventive and precautionary tools of protection for the personal data processed.

Is it a mandatory obligation?

DPIAs are only mandatory in certain cases, i.e. in the case of: a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; b) processing on a large scale of special categories of data referred to in Art. 9(1), or of personal data relating to criminal convictions and offences referred to in Art.10; or c) a systematic monitoring of a publicly accessible area on a large scale (see “LINK Faq on DPO” for the concept of “large scale”). It is also provided for that the supervisory authority draws up and publishes a list of the kind of processing operations which are subject to the need for a DPIA.

And even in cases when it is not mandatory, a DPIA is a recommended measure, since it is a useful tool to allow the controller to identify likely situations of risk and to remedy them, before harming data subjects or infringing the law (also to demonstrate compliance with the GDPR).

Who has the obligation of conducting the DPIA?

The controller is responsible for making sure the DPIA is carried out. Another person inside or outside the organisation may carry out the DPIA. However, ultimate accountability for this obligation remains with the controller who should carefully monitor the assessment.

As the GDPR highlights, prior to the processing the controller should consult the Data Protection Officer and the processor. It is also provided for that, where appropriate, the controller (or the subject delegated to do the assessment) should seek the views of data subjects or their representatives about the intended processing. If after having sought the views of data subjects, the controller’s final decision differs from their views, its reasons for going ahead or not should be recorded.

How must a DPIA be carried out?

Whether the DPIA is mandatory or discretionary, it is necessary to perform a systematic description of the processing operations which are likely to result in high risk. For each processing (or category of processing), information will need to be collected on: a) the nature, scope, context and purposes of the processing; b) personal (and sensitive) data, data subjects and period for which the personal data will be stored; c) a functional description of processing operations and, in particular, data flows (i.e., disclosure by transmission, circulation or otherwise making the personal data available, transfer, specifying the recipients whether inside or outside the controller’s organisation); d) the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels); e) subjects who might access the data together with the purposes of or reasons for this access.

Subsequently, it will be necessary to assess and describe whether the processing is necessary and proportionate in relation to the purposes and security measures adopted: for each processing, security measures to deal with the risk will need to be checked, including safeguards, security measures and tools to safeguard the protection of personal data.

Thanks to the documentation and information collected, it will be possible to get on with identifying the risks which the personal data are exposed to, analysing their life cycle and taking into account how they are used, the purposes which they are used for, if any new technologies are used and the subjects authorised to process them.

Once the risks have been identified, they will have to be managed. At this stage, it will be necessary to choose (where possible) whether a particular risk should be eliminated, mitigated or accepted.

Where do I keep my DPIA?

Results and observations from the DPIA should merge into a final report, where collected and examined information is presented in a systematic and functional way with measures and remedies adopted and implemented to address risks. The report should specify the name of the organisation or the project for which the DPIA has been carried out, the subjects or the team who have carried out the DPIA and the contact details of a the designated lead contact.

Focus: obligations relating to the DPIA

Even if it is not a legal requirement of the GDPR, in its Guidelines on DPIA adopted on 4th April 2017 and revised on 4th October 2017, Working Party Art. 29 (A29WP) recommends sharing the report (or parts of it – but only non-commercial/sensitive parts) to demonstrate accountability and transparency (and “to help foster trust in the controller’s processing operations”). This is especially encouraged for those organisations where members of the public are affected by the processing operation.

When the risks which have been identified have been successfully managed by the controller with a DPIA, the procedure can be considered concluded. On the contrary, whenever the identified risks cannot be sufficiently addressed by the controller (i.e. when the residual risks are still high), then the controller must consult the supervisory authority, in order to proceed with consultation prior to processing in accordance with Art. 36 of the GDPR.

 

 

posted by Laura Greco on maggio 2, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.

In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.

What is the record of processing activities?

This is a new obligation introduced by the GDPR which requires a full documentation of all processing operations carried out under the authority of the controller and the processor.

Whose obligation is it to keep records?

Novel in the GDPR is that the controller and the processor are both independently responsible for drafting and keeping records. The controller’s record and the processor’s will be two distinct documents, each one with specific content.

Compiling the record could be delegated to the Data Protection Officer (DPO), however, without in this way transferring responsibility for compliance with this obligation from the controller and the processor. The controller and processor could also ask for assistance from department managers in their organisations, who would probably be more familiar with the processing activities carried out in their departments and could more easily provide specific, detailed information about such processing.

Are there any waivers or exceptions in the GDPR?

The new Regulation provides that the duty of maintaining a record of processing activities does not apply to enterprises or organisations employing fewer than 250 persons. However, in order for this exemption to be valid, the processing carried out must not be likely to result in a risk to the rights and freedoms of data subjects, it must be occasional and it must not include special categories of data (e.g. health data, biometric data) or personal data relating to criminal convictions and offences.

What information should be contained in the record?

The minimum content of information changes depending on whether the document concerns the controller’s processing activities or those of the processor.

In the first case, the controller shall indicate: a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; b) the purposes of the processing; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be disclosed e) where applicable, the identification of the third country or the international organisation to which data are transferred, including the documentation of suitable safeguards; f) where possible, the envisaged time limits for erasure of the different categories of data; g) where possible, a general description of the technical and organisational security measures.

In the second case, the processor shall specify only: a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer; b) the categories of processing carried out on behalf of each controller; c) where applicable, the identification of the third country or the international organisation to which data are transferred, including the documentation of suitable safeguards; d) where possible, a general description of the technical and organisational security measures.

Can the record be drafted and kept in electronic form?

The GDPR provides that the records of processing activities must be in writing including in electronic form. Therefore, it will also be possible to draft and keep records directly on IT equipment, for example by creating an Excel file.

Are there other obligations which go with the record?

It is not sufficient to simply draft the processing record in order to be fully compliant with the GDPR. It should be periodically revised and updated, in particular specifying new processing activities and/or removing those which have been terminated, namely the record must be kept up-to-date to reflect an organisation’s present processing activities.

In addition, the controller and the processor (where applicable, their representative) are under the obligation to make the record available to the supervisory authority on request.

 

 

posted by Maria Chiara Meneghetti on aprile 23, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation. In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.

What are the rights of the data subject?

The data subject, namely the natural person whose personal data are processed, has a number of rights, which he/she can exercise with the data controller at any time and which allow him/her to keep control of the data provided and their use.

These rights, many of which were already provided for by the Italian privacy Code, are for instance: the right of access (which gives data subjects the right to obtain confirmation of whether the controller is processing their personal data), the right of rectification (on the basis of which data subjects are entitled to require a controller to rectify any errors in their personal data without undue delay); the right to object to processing (on the basis of which data subjects have the right to object to continued data processing under specific circumstances).

What changes with the GDPR?

The GDPR expands the list of rights by adding to it: the right to erasure (the right to be forgotten); the right to restriction of processing and the right to data portability.

From the data controller’s point of view, he/she remains responsible for facilitating data subjects’ exercise of their rights (by adopting all appropriate technical and organisational measures) and for answering their requests (with the possible collaboration of the data processor).

In particular, for all rights the GDPR sets the deadline for answering data subjects’ requests at one month, which can be extended up to 3 months, in consideration of the complexity and number of requests submitted. At any rate, the data controller must also give a written answer to the data subject in cases of denial within one month of the request. The answer, usually given in written form, must be concise, transparent and written in plain and clear language.

What is the right to erasure (the right to be forgotten)?

The right to be forgotten states that data subjects have the right to require data controllers to erase the personal data they hold.

However, the right to be forgotten cannot be exercised in every circumstance, but only when one of the specific conditions listed in art. 17 of the GDPR occurs. The conditions are those in which:

1) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

2) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing

3) he/she objects to the processing and there are no overriding legitimate grounds for the processing

4) the personal data have been unlawfully processed;

5) the personal data have to be erased for compliance with a legal obligation (in Union or Member State law to which the controller is subject);

6) the personal data have been collected in relation to the offer of information society services, when the data subject was still a child (therefore he/she was not fully aware of the risks deriving from the processing of his/her data).

In addition, with the obligation to comply with the data subject’s request for erasure, in one of the above mentioned situations, the data controller must fulfil another obligation. In digital environments, the circulation and spread of information have a significantly wider scope compared to their circulation in the physical world. For this reason the GDPR has provided that where the controller has made the personal data public (e.g. on a website), he/she shall (take reasonable steps to) inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The only limits to the right to be forgotten are considered in cases where the right of the data subject to obtain the erasure of his/her personal data are overridden by higher interests. For instance to the extent that data processing is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation, or it is necessary for the performance of a task carried out in the public interest. The right to be forgotten may also be denied in cases where the storage of data is necessary for the establishment, exercise or defence of legal claims.

What is the right to restriction of processing?

The exercise by the data subject of this right, in fact allows him/her to “restrict” the processing of his/her data in some situations and provides him/her with an alternative to requiring data to be erased, namely, the data subject requests the temporary suspension of processing.

The right to obtain a restriction of processing can be exercised when:

1) the data subject disputes the accuracy of his/her personal data and so requests restriction of their utilisation for a period in which the data controller will be able to verify their accuracy;

2) the processing is unlawful, but the data subject objects to erasure of the personal data and requests restriction of their use instead;

3) the controller no longer has need for the personal data for the purposes of processing, but the data subject requires them to establish, exercise or defend legal claims;

4) the data subject has objected to processing and the restriction of processing is implemented pending verification of whether the legitimate grounds of the controller override those of the data subject.

What is the right to data portability?

The right to data portability is a right with a double content. Firstly, it consists in the right of the data subject to receive the data in a structured, commonly used and machine-readable form. There is no express indication of the type of format to be used, but it is evident that the objective is that of assuring that the data are provided in an “interoperable” format, which allows easy re-use across a variety of devices and services.

In addition, the right to data portability represents the right to transmit (but also to obtain the direct transmission of) those data to another data controller (“when technically feasible”), without the “original” controller being able to hinder this. In other words data controllers must provide the conditions for data subjects to be able to easily and without hindrance transfer their personal data from one IT system to another.

The right to data portability cannot be exercised unconditionally either, but only when the personal data fulfil a number of conditions. In particular they must be:

1) personal data provided to a controller clearly referring to the data subject (obviously anonymous data are excluded);

2) processed based on the data subject’s previous consent or for the performance of a contract, to which the data subject is party;

3) processed by automated means;

4) provided to a controller by the data subject. This condition needs to be interpreted broadly, so that the right is not limited to the data knowingly and actively provided by the data subject (e.g. data collected from a subscription form), but also covers data provided by the use of a service or device (e.g. location data, traffic data or the data subject’s search history).

It is vital to point out that, in contrast, the right to data portability cannot be exercised on so-called derived or inferred data, namely the product of analysis carried out by the data controller based on the data provided by the data subject. These are data “created” by the data controller, which he/she keeps (e.g. the outcome of a data subject’s health assessment or a profile created in the context of risk management (e.g. to assign a credit score) or of complying with anti-money laundering (or other financial crime) legislation.

 

 

posted by Maria Chiara Meneghetti on aprile 15, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.

In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.

What does “personal data breach” mean?

The GDPR defines personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There are many types of personal data breaches, which may include theft or accidental erasure of data from a database, as well as malware attacks which block access to IT systems or blackouts which make data temporarily unavailable.

In brief, we can say that a personal data breach is a specific type of security incident in cases when personal data are involved. While all personal data breaches are security incidents, not all security incidents can necessarily be described as data breaches.

What action must the controller take in cases of personal data breach?

Articles 33 and 34 of the GDPR regulate the procedures the controller must activate in cases of personal data breach, which are to notify the supervisory authority of the breach (in Italy the Garante per la protezione dei dati personali) and to communicate the breach to the data subject.

Both procedures aim at informing the authority or the data subject that a breach has occurred in order to allow them to take all necessary protection measures.

What action must the processor take in cases of personal data breach?

Although obligations of notification and communication must be fulfilled by the data controller, art. 33 establishes that, once aware of the breach the data processor must inform the data controller without undue delay.

After a violation has taken place and in order for any intervention to be carried out as effectively and promptly as possible, also when taking into consideration the dimension of the contexts in which the data is being processed and the number of people who may be involved, it would be useful for the data controller to arrange an incident response plan. This plan should set out the different steps and organisational procedures which need to be adopted to deal with possible violations and the structure or response team to whom the event will be referred.

When must notification to the supervisory authority be carried out?

Art. 33 of the GDPR provides that the data controller must notify a personal data breach without undue delay to the supervisory authority and where feasible within 72 hours. When notification is not made within 72 hours it must be accompanied by the reason for the delay.

It is not necessary to send notification when the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, the data controller is responsible for analysing the potential risks caused to data subjects by data breaches and for assessing whether the risks are sufficiently high as to warrant triggering the obligation to notify the supervisory authority. It should be noted that the presence of a “simple” risk is enough to oblige the data controller to notify the authority.

When must communication be given to the data subject?

Art. 34 of the GDPR provides that when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay.

Differently from notification given to the supervisory authority, communication to the data subject must only be given when the breach presents “high risk”. In any case, it is the duty of the data controller to evaluate the level of risk.

The article continues by listing the following circumstances under which, despite the potential high risks, communication to the data subject is not required if: (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (e.g. encryption); 
(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; 
(c) it would involve disproportionate effort (in such a case, there shall instead be a public communication or similar measure (whereby the data subjects are informed in an equally effective manner).

In what form should the communication be made?

To comply with the obligation of communication provided for by the GDPR it is not sufficient only to inform the data subject. Essentially, the appropriateness of a communication depends not only on its contents, but also on the manner in which it is formulated. In order to fulfil their informative function, communications must be written in plain and easily understandable language. Direct communications to the data subjects are preferable (e.g. e-mail, SMS or direct messages). The information should be communicated in a clear and transparent manner, thus avoiding conveying the message in excessively general and misleading formats (such as generic updates or newsletters).

How should the assessment of the risk resulting from a data breach be carried out?

The assessment of the risks resulting from a data breach is a fundamental step because it allows the data controller not only to identify adequate measures to contain or eliminate the breach, but also to weigh up the necessity to activate the notification and communication procedures (which are triggered only above certain risk thresholds).

The assessment is similar to that which the data controller needs to carry out in relation to the Data Protection Impact Assessment, but unlike the latter it must be more personalised, with regard to the concrete circumstances of the breach.

Among the factors the data controller needs to take into consideration in his/her assessment, can be mentioned: the type of breach (confidentiality, accessibility or integrity breach?) the nature of the data involved (e.g. health data, ID documents or credit card numbers); how easy it would be to identify the data subjects (this varies according to the type of data, identification or non-identification data, and the methods used for their storage, e.g. pseudonymisation techniques or cryptography); the seriousness of the consequences on individuals (this differs depending on whether the data were mistakenly sent to a trusted party or were stolen by an unknown third party); any particular characteristics and the number of individuals involved (e.g. whether vulnerable data subjects such as children or elderly people, for example, are involved; whether it was a collective or individual breach) and the particular characteristics of the data controller (e.g. based on the activity processing environment).

 

 

 

posted by admin on marzo 31, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.

Who is the Data Protection Officer?

The Data Protection Officer, more commonly known as the DPO, is appointed by the controller or processor and mainly plays a dual role: firstly, he/she is entrusted with the duty of monitoring and overseeing compliance with the GDPR within the organisation of the person who has appointed him/her; secondly, he/she acts as a point of contact between the organisation and GDPR authorities and interfaces with data subjects.

When should a DPO be appointed?

The appointment of the DPO is mandatory (Art. 37) when: a) the processing is carried out by a public authority or body (except judicial authorities); b) the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or processor consist of processing on a large scale of sensitive data (e.g. data relating to health, genetic data, biometric data, data relating to criminal offences or data relating to minors). However, Union or Member state law can provide for further cases of mandatory appointment.

Apart from these cases, the appointment of a DPO is discretionary but still strongly recommended, given the importance of the role in assisting and supporting compliance with the GDPR.

What skills are required to be appointed as DPO?

The DPO must have significant specialist knowledge commensurate with the sensitivity, complexity and amount of data processed by an organisation. In particular, he/she must have full command of national and European data protection laws and practices and be thoroughly knowledgeable of the GDPR as well as of the business sector and the controller’s organisation.

Lastly, he/she must have a significant degree of familiarity with the processing operations carried out, as well as the IT systems and data security and data protection needs of the controller.

What tasks does the DPO have?

Beside the roles of internal coordination and external contact point, the DPO will take charge of the ongoing (awareness-raising and) training of the controller’s or processor’s staff in the field of data protection, monitor compliance with the GDPR and play an advisory role, giving advice upon request on data protection impact assessments (DPIAs) and monitor their performance. This task list is by no means complete and the controller or processor may decide to assign further tasks to the DPO, such as for example the task of maintaining the record of processing activities.

Can the role of DPO be allocated to an employee of the controller/processor?

The controller or processor can either decide to appoint an internal member of staff of their own organisation as DPO (a new or existing staff member) or to contract the role externally (by means of outsourcing or a service contract). In both cases, the controller or processor must ensure that the DPO is in the position to be able to perform his/her duties and tasks in an independent manner and that any such tasks and duties do not give rise to a conflict of interest. For this reason, the controller and processor must ensure that the DPO does not receive any instructions and that he/she will not be dismissed or penalised for performing his/her tasks.

Can the DPO have his/her own team?

The controller or processor must provide all resources necessary for the DPO to be able to carry out his/her tasks, such as sufficient time, adequate financial resources, infrastructure (premises, facilities, equipment) and staff. The DPO can also have his/her own team to help him/her in performing his/her tasks. In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly drawn up and there should be a designated lead contact.

Who is responsible for non-compliance with the GDPR ?

The DPO is not personally responsible for non-compliance with the GDPR during processing. Only the controller and the processor are responsible for any non-compliance with the Regulation when performing processing.

Is the controller/processor required to publish and communicate the DPO’s appointment?

The appointment of the DPO must be published and communicated both inside and outside the organisation of the controller or the processor. In particular, contact details of the DPO, such as for example a postal address, a dedicated telephone number, and/or a dedicated e-mail address (and possibly a dedicated contact form) should be published on the controller’s or processor’s website. The same contact details will be communicated to the relevant supervisory authority and to data subjects with the privacy notice (see, the first FAQ on privacy policies “link”).

Focus: the “large scale” concept

The GDPR does not define what large scale processing is. Working Party Art. 29, offers some criteria in order to clarify the concept in its Guidelines on DPOs of 5th April 2017 . When determining whether the processing is carried out on a large scale, the following factors can be considered:

• The number of data subjects concerned-either as a specific number or as a proportion of the relevant population;

• The volume of data and/or the range of different data items being processed;

• The duration, or permanence, of the data processing activity;

• The geographical extent of the processing activity.

Examples of large-scale processing include:

• processing of patient data in the regular course of business by a hospital;

• processing of travel data of individuals using a city’s public transport system (e.g. tracking via

travel cards);

• processing of customer data in the regular course of business by an insurance company or a bank.

 

 

 

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.

What is meant by consent to the processing of personal data?

According to the new definition in the GDPR, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (art. 4, par. 1, n. 11). Analysis of the definition shows that consent represents an indication of will, expressed in affirmative and unambiguous terms. Therefore, it can only be a statement or a positive action on the part of the data subject and not, conversely, merely passive conduct, such as hypothetical silent consent, for example. Moreover, in the same way as the Italian privacy Code, the GDPR requires consent not only to be unambiguous but also: free (given in the absence of constrictions); specific (one for each processing purpose) and informed (the data subject must receive an appropriate privacy notice on the processing of his/her personal data).

Who must ask for consent for the processing of personal data?

The data controller or, if specifically instructed, the data processor must have the consent of the data subject when they want to process his/her data. The GDPR places the actual burden of proof on the data controller. Art. 7, par. 1 specifies that the data controller shall be able to demonstrate that the data subject has consented to the processing of his/her personal data.

When is consent for personal data necessary?

Consent by the data subject is one of the many legal bases provided by the GDPR alternately, to legitimise the processing of personal data carried out by the controller. This means that consent must be obtained whenever one of the alternative legal bases listed in art. 6 of the GDPR cannot be used. These are essentially “equivalent circumstances” to consent, in the presence of which personal data may be processed even without consent from the data subject.

What are the equivalent circumstances to consent by the data subject?

In addition to consent, art. 6 of the GDPR lists five different legal bases which mainly take up the alternatives already provided for by the Italian privacy Code. Processing will be lawful even in the absence of consent if: a) it is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; b) it is necessary for compliance with a legal obligation to which the controller is subject; c) it is necessary in order to protect the vital interests of the data subject or of another natural person; d) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In the last case, it will be the duty and responsibility of the controller to balance his/her legitimate interest with the rights of data subjects and justify that his/her interest overrides the interests of the various data subjects.

What might the legitimate interests of the controller be?

Recitals 47, 48 and 49 of the GDPR list examples of activities that might be considered the legitimate interests of a data controller and which override those of data subjects.

Among these is fraud prevention and direct marketing (which occurs when the controller uses the contact data the data subject has given him/her in the context of the sale of a product or a service without asking for the data subject’s consent and provided that the data subject, adequately informed, had not refused it). The processing of data for internal administrative purposes or in order to assure the security of networks and information may also be considered to be covered by legitimate interest.

Are there particular conditions for the processing of “sensitive” data (so called special categories of data)?

For the processing of special categories of data (sensitive data), the general rule is that of explicit consent (explicit consent is also applied when the data controller wants to adopt automatic decision-making processes, including profiling, which have legal consequences for data subjects).

In this case, the GDPR also provides a series of “equivalent circumstances” which waive the need to collect consent (art. 9). Some of these are particularly innovative, among which when processing is necessary for: the purposes of complying with obligations of labour law, social security and social care; the purposes of preventive or occupational medicine; for reasons of public interest in the field of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

What is new with regard to child’s consent?

The GDPR inserts an ad hoc provision for child’s consent, which however only refers to the offer of information society services.

Considering the wide variety of content and digital services to which children have access thanks to the use of the Internet, the GDPR wishes to strengthen the protection of children from the dangers of the Internet. Therefore, Art. 8 specifies that consent given by a child for the processing of his/her personal data in the context of a service offered by an information society, is only lawful when the child is at least 16 years old (Member States may provide by law for a lower age provided that it is not below13 years).

Where the child is below the age of 16, processing will be lawful only if and to the extent that consent is given or authorised by the parents or holder of parental responsibility over the child.

What are the conditions for the collection of consent?

In light of the definition of consent (a free, specific, informed and unambiguous indication of will), the GDPR specifies the conditions controllers must fulfill in order to guarantee the collection of legitimate consent.

Consent can be given with a written or an oral statement.

When consent is given in writing, in the context of a declaration which also includes other matters, consent to data processing must be presented in a manner which is clearly distinguishable from the other matters.

The formulation of consent must be in an intelligible and easily accessible form, using clear and plain language.

Moreover, the data controller must take into consideration that consent given by the data subject can be withdrawn at any time as easily as it was given.

How to create a GDPR compliant consent form?

To briefly summarise: in order to create a GDPR compliant consent form:

1) this must be a clear and unambiguous act: it can be collected in writing including by electronic means, or with an oral statement;

1.1) this implies that consent is not constituted by: silence, inactivity or pre-ticked boxes.

1.2) on the contrary, consent can be obtained through: specific boxes to tick (not pre-ticked) when visiting an Internet website; choosing technical settings for information society services or another statement or conduct which clearly indicates the data subject’s acceptance of the proposed processing of his/her personal data.

2) must be formulated in clear, plain and intelligible language;

3) there must be separate consents for each processing purpose (marketing and profiling are distinct purposes);

4) when a child is involved: the age of the child must be verified or parental consent must be asked for;

5) for special categories of personal data, consent must be explicit;

6) data controllers must take appropriate measures to demonstrate that the data subject has consented to processing of his/her personal data and also to inform the data subject of his/her right to withdraw his/her consent at any time and that it is as easy to withdraw as to give consent.

 

 

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.

What is a privacy notice?
A factsheet known as a privacy notice refers to that set of information which must be provided to data subjects (namely natural persons whose data are processed) to allow them to understand who is collecting their personal data, what will be done with them, how, by whom and who they will be shared with.

Who is responsible for providing the privacy notice?
The privacy notice must be provided by the data controller or the data processor, when specifically instructed to do so by the data controller.

What are the contents of a privacy notice?
The GDPR provides a thorough description of the contents of the privacy notice in art. 13, par. 1 and art. 14, par. 1.

Some of these contents were already provided for in the Italian Privacy Code, among which are for example the indication of: a) contact data of the data controller and of any data processor when used; b) the purposes of processing (e.g. entering into contracts, marketing, profiling, etc.); c) whether the provision of personal data is mandatory or not and the consequences (should such mandatory data not be provided); d) the rights of data subjects.

Besides this information, the GDPR provides further relevant information in the privacy notice which the controller is required to provide to data subjects in order to proceed with processing their data, such as: a) contact data for the Data Protection Officer when appointed; b) the legal basis for the processing (e.g. consent, public interest, performance of contracts and so on) and in cases where this constitutes legitimate interest for the controller, specify its contents; c) whether the data will be transferred to countries outside the EU and which instrument the transfer will be carried out with (e.g. adequacy decision; BCR, standard contractual clauses); d) the period of time for which the data will be stored or the criteria used to determine it; e) the existence of automated decision-making (including profiling) and the logic it is based on.

When must the privacy notice be given?
The privacy notice must be provided to data subjects at the moment in which their data are collected, therefore before the start of any kind of processing. The GDPR only exempts data controllers from the obligation of providing privacy notices in cases in which data subjects already have all the information at their disposal (art. 13, par. 4).

Conversely, however, in cases where the data have not been obtained from the data subject, data controllers must provide data subjects with the above listed information (in addition specifying the source of the data) within a month of collecting them or at any rate from the moment of their communication (to a third party or to the data subjects themselves).The GDPR also provides for certain circumstances for exemption in this situation (art. 14, par. 5) which refer to those cases in which: a) data subjects are already in possession of all relevant information; b) the provision of such information would prove impossible or would involve excessive effort; c) the collection or disclosure is laid down by law; d) the data must remain confidential subject to an obligation of professional secrecy. It is the duty and therefore, the responsibility of the data controller to assess whether there is one of the above-listed circumstances.
In addition data subjects must be provided with a new privacy notice should the data controller decide to process the collected data for different purposes from those originally communicated.

How must the privacy notice be provided?
In this case too the GDPR gives a clearer definition of the procedure for formulating and providing the privacy notice.
The privacy notice is generally provided in writing or by other means, which can also be electronic (where appropriate). Only in cases when the data subject requires it, may the privacy notice be provided orally.
With regard to its formulation, the GDPR specifies that the privacy notice must be: concise, transparent, intelligible and easily accessible. Essentially, it must be formulated in clear and plain language, in particular when the information is specifically addressed to a child (art. 12, par. 1).
In addition, with the precise aim of guaranteeing the highest level of transparency and to make it easily legible, the GDPR clearly explains that the information may be provided in combination with standardised icons to give an intuitive and easily understandable overview of the processing procedure.

posted by admin on febbraio 15, 2018

Privacy

(No comments)

In view of the imminent deadline for the application of the European legislation on the protection of personal data, the Ministry of Justice has appointed a team of experts whose immediate task will be to assure that the current Italian Privacy Code complies with the new rules.

There are two European regulations which will need to be implemented in the Italian framework in May 2018. Regulation 2016/679 of the European Parliament and Council on privacy (GDPR), which repeals the previous 1995 Directive, will come into effect from May 25th 2018, while the deadline of May 6th has been set for publishing and implementing the legislative, regulatory and administrative dispositions of Directive EU 2016/680, which concerns the protection of personal data processed by the competent authorities for the purpose of the prevention, investigation, or prosecution of criminal offences.

In order that the Italian Code on personal data protection will comply with the new rules as quickly as possible, the Government has taken the decision to also utilise a team of qualified experts from outside the Administration and from different professional fields. On December 14th 2017, Professor Giusella Finocchiaro was appointed by the Ministry of Justice to lead the Working Group in charge of drawing up the Legislative Decrees to guarantee the prompt implementation and compliance of the internal framework with the European data protection requirements.

posted by admin on febbraio 1, 2018

Copyrights

(No comments)

The Swedish streaming music giant must contend with a lawsuit from the American company Wixen Music Publishing which is suing it for copyright infringement, specifically alleging Spotify is using thousands of its songs without a proper licence and compensation to the music publisher.

Spotify, the company which offers unlimited music streaming on subscription, is accused of failing to pay fair royalties to the right-holders of Wixen Music Publishing which manages the rights of 10,784 songs of artists such as Tom Petty, the Doors, Carlos Santana and Neil Young.

The music publishing company is seeking a damages award from Spotify for lump-sum compensation worth $ 150,000 per song, for a total of more than $ 1,6 billion.

Spotify is not new to this kind of legal action as in May 2017, after a drawn-out lawsuit, the Stockholm based company had already reached an agreement to settle a class action lawsuit led by the singer-songwriters David Lowery and Melissa Ferrick, to pay the authors $ 43 million in rights in view of the listing of their shares on the New York Stock Exchange (NYSE) expected for this year. In July 2016, songwriter Bob Gaudio and music publisher Bluewater Music Services in Nashville, took legal action filing lawsuits for the same reasons.

Meanwhile Spotify has filed documentation for DPO (direct public offering), namely direct listing of its shares on the New York Stock Exchange, to the Securities and Exchange Commission (SEC) which should take place by the first trimester of the year. Spotify, the clear worldwide-leader in music streaming, recently revealed that it had over 70 million paying subscribers. Its value was estimated at $8,5 billion last year, but it seems that the company’s value has risen to $20 billion after a recent equity shares swap with the Chinese social media giant Tencent Music Entertainment.

 

 

  • Recent comments

  • Popular posts

    • None found