Both the “Salva-Italia” Decree (“Save Italy” Decree) (Law Decree No 214 of 22nd December 2011) and the “Semplificazioni” Decree (“Simplification” Decree) approved last Friday by the Italian Cabinet of Ministers carry out major cuts to the so-called Privacy Law.
By changing the definition of personal data, the “Save Italy” Decree has determined that the Code for the protection of personal data will no longer be applied to information regarding private bodies, public bodies or associations, hence to the data of companies, enterprises and public bodies. This means that information sheets are no longer required to treat this data, nor is it necessary to seek consent or to verify that the treatment of the data is consistent with the institutional goals of the public body. In addition to this it is not necessary to appoint staff responsible for and in charge of data treatment or to apply security measures. As provided for by that same law this also means that private bodies have no legal right to exert control over data.
In brief, the Privacy Law does not apply to the data of enterprises, companies, private bodies in general or to public bodies and associations.
As reported in the press release issued by the Cabinet of Ministers, the “Simplification” Decree approved last Friday seems to provide for the abolition of the security policy document.
In both cases these changes to the provisions of Italian law are not present in the European directive.
Should the abolition of the security policy document be confirmed, it must be clarified that the obligations regarding security still remain as also do the criminal, administrative and civil responsibility resulting from the failure to adopt security measures. The abolition of the security policy document does not and should not in any way lead to a slackening of levels of security in the processing of personal data because, as is well known, there is no privacy without security.