Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.

What is meant by consent to the processing of personal data?

According to the new definition in the GDPR, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (art. 4, par. 1, n. 11). Analysis of the definition shows that consent represents an indication of will, expressed in affirmative and unambiguous terms. Therefore, it can only be a statement or a positive action on the part of the data subject and not, conversely, merely passive conduct, such as hypothetical silent consent, for example. Moreover, in the same way as the Italian privacy Code, the GDPR requires consent not only to be unambiguous but also: free (given in the absence of constrictions); specific (one for each processing purpose) and informed (the data subject must receive an appropriate privacy notice on the processing of his/her personal data).

Who must ask for consent for the processing of personal data?

The data controller or, if specifically instructed, the data processor must have the consent of the data subject when they want to process his/her data. The GDPR places the actual burden of proof on the data controller. Art. 7, par. 1 specifies that the data controller shall be able to demonstrate that the data subject has consented to the processing of his/her personal data.

When is consent for personal data necessary?

Consent by the data subject is one of the many legal bases provided by the GDPR alternately, to legitimise the processing of personal data carried out by the controller. This means that consent must be obtained whenever one of the alternative legal bases listed in art. 6 of the GDPR cannot be used. These are essentially “equivalent circumstances” to consent, in the presence of which personal data may be processed even without consent from the data subject.

What are the equivalent circumstances to consent by the data subject?

In addition to consent, art. 6 of the GDPR lists five different legal bases which mainly take up the alternatives already provided for by the Italian privacy Code. Processing will be lawful even in the absence of consent if: a) it is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; b) it is necessary for compliance with a legal obligation to which the controller is subject; c) it is necessary in order to protect the vital interests of the data subject or of another natural person; d) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In the last case, it will be the duty and responsibility of the controller to balance his/her legitimate interest with the rights of data subjects and justify that his/her interest overrides the interests of the various data subjects.

What might the legitimate interests of the controller be?

Recitals 47, 48 and 49 of the GDPR list examples of activities that might be considered the legitimate interests of a data controller and which override those of data subjects.

Among these is fraud prevention and direct marketing (which occurs when the controller uses the contact data the data subject has given him/her in the context of the sale of a product or a service without asking for the data subject’s consent and provided that the data subject, adequately informed, had not refused it). The processing of data for internal administrative purposes or in order to assure the security of networks and information may also be considered to be covered by legitimate interest.

Are there particular conditions for the processing of “sensitive” data (so called special categories of data)?

For the processing of special categories of data (sensitive data), the general rule is that of explicit consent (explicit consent is also applied when the data controller wants to adopt automatic decision-making processes, including profiling, which have legal consequences for data subjects).

In this case, the GDPR also provides a series of “equivalent circumstances” which waive the need to collect consent (art. 9). Some of these are particularly innovative, among which when processing is necessary for: the purposes of complying with obligations of labour law, social security and social care; the purposes of preventive or occupational medicine; for reasons of public interest in the field of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

What is new with regard to child’s consent?

The GDPR inserts an ad hoc provision for child’s consent, which however only refers to the offer of information society services.

Considering the wide variety of content and digital services to which children have access thanks to the use of the Internet, the GDPR wishes to strengthen the protection of children from the dangers of the Internet. Therefore, Art. 8 specifies that consent given by a child for the processing of his/her personal data in the context of a service offered by an information society, is only lawful when the child is at least 16 years old (Member States may provide by law for a lower age provided that it is not below13 years).

Where the child is below the age of 16, processing will be lawful only if and to the extent that consent is given or authorised by the parents or holder of parental responsibility over the child.

What are the conditions for the collection of consent?

In light of the definition of consent (a free, specific, informed and unambiguous indication of will), the GDPR specifies the conditions controllers must fulfill in order to guarantee the collection of legitimate consent.

Consent can be given with a written or an oral statement.

When consent is given in writing, in the context of a declaration which also includes other matters, consent to data processing must be presented in a manner which is clearly distinguishable from the other matters.

The formulation of consent must be in an intelligible and easily accessible form, using clear and plain language.

Moreover, the data controller must take into consideration that consent given by the data subject can be withdrawn at any time as easily as it was given.

How to create a GDPR compliant consent form?

To briefly summarise: in order to create a GDPR compliant consent form:

1) this must be a clear and unambiguous act: it can be collected in writing including by electronic means, or with an oral statement;

1.1) this implies that consent is not constituted by: silence, inactivity or pre-ticked boxes.

1.2) on the contrary, consent can be obtained through: specific boxes to tick (not pre-ticked) when visiting an Internet website; choosing technical settings for information society services or another statement or conduct which clearly indicates the data subject’s acceptance of the proposed processing of his/her personal data.

2) must be formulated in clear, plain and intelligible language;

3) there must be separate consents for each processing purpose (marketing and profiling are distinct purposes);

4) when a child is involved: the age of the child must be verified or parental consent must be asked for;

5) for special categories of personal data, consent must be explicit;

6) data controllers must take appropriate measures to demonstrate that the data subject has consented to processing of his/her personal data and also to inform the data subject of his/her right to withdraw his/her consent at any time and that it is as easy to withdraw as to give consent.

 

 

In a piece published on the 15th April 2017 in the Quotidiano Nazionale (a daily which features articles from three Italian newspapers, Il Resto del Carlino, Il Giorno and La Nazione), Giusella Finocchiaro offered her thoughts on data protection and minors.

“Can children and adolescents sign up to Facebook or other social network accounts?

If being of age is a legal requirement for concluding a contract, then, why should it not be the case for signing up to a social network account? What is the age required for giving valid consent to the processing of personal data? Under Facebook regulations it is 13 years of age and under Italian law it is 18.

Then, why are so many Italian children and adolescents signed up to social networks? The answer is simple: according to the majority of subscription contracts, it is not Italian law which is applicable but the law governing the social network, which means, in the case of Facebook, the law of the United States of America and of the State of California.

Which law takes precedence? This is the most classical legal problem on the Internet, namely, determining which law is applicable and the jurisdiction. The new European Regulation n. 2016/679 on the Protection of Personal Data, which represents the new European law on data protection and is directly applicable from 25th May 2018, solves the problem with a partial compromise. It provides that European law takes precedence and that 16 is the minimum age to sign up (with an option for each Member State to set a lower age, provided that it is not below 13 years). Where the child is below the age of 16, parental consent is given or authorised.

According to certain recent Italian decisions in similar cases (the posting of pictures of their own children on social networks), the consent of both parents is needed. It is clear that it will not be very difficult to get round this provision. However, as the European Regulation provides for, it is the social network itself which will need to keep a check on things, by using available technology”.

 

 

posted by admin on novembre 15, 2016

computer crimes

(No comments)

This is a summary of the interview given by Prof. Giusella Finocchiaro to Vanity Fair, in which she was invited to explain certain legal aspects underlying some particular recent news items regarding online privacy.

Social media allow a choice of the level of visibility for each post published, however for uses such as that of videos illegally circulated online judicial measures are required. Giusella Finocchiaro, the first attorney at law in Italy to teach Internet law, explains how.

Two cases recently appeared in the news in the space of just 24 hours. Firstly, the suicide of a 31-year-old woman, whose hard core videotape had been circulating illegally on the web for more than a year and the case of a 17-year-old girl, whose girl friends recorded and posted a video of her while she was being raped in a disco. Both of these cases raise the question of what the limits of privacy on the Internet are. The head of the Italian Data Protection Authority, Antonello Soro, spoke of « the risk of being pilloried that the Net exposes us to, given the lack of adequate user awareness of the nature of its unlimited space and of the damaging effects that violent communication or the ferocity of ruthless mockery on the part of others may cause».

Lack of legislation was not in question Soro did not speak of a lack of legislation but rather of the need for «appropriate response procedures on the part of the different platforms» and also of another fundamental need: namely «to cultivate respect among people on the Internet». Investment in digital education is fundamental also according to Giusella Finocchiaro, (attorney at law and Professor of Private and Internet law at the University of Bologna, the first chair for this subject in Italy, as laws exist and the legal course followed by Tiziana Cantone (the woman who committed suicide) was the correct one, but timescales remain lengthy and not all people know how to protect themselves.

 

 

posted by Giusella Finocchiaro on maggio 20, 2011

Privacy

(No comments)

The Law Decree regarding “Prime disposizioni urgenti per l’economia” (Urgent First measures for the Economy), also called “Decreto-Sviluppo” (Development Decree), which was published in the Official Journal on May 13 and which led to much discussion of provisions concerning beach concessions, also contains several relevant amendments to the Privacy Code.

This Law Decree must be approved by parliament within 60 days of publication in the Official Gazzette, before it can be changed.

The following is a brief summary of the main changes:

 

 

Data regarding public and private bodies

The new art. 3-bis states that the processing of data regarding public and private bodies

in communications between such bodies and for administration and accountancy purposes is no longer subject to the application of the Privacy Code. So, this exemption will not include all data regarding private or public bodies but only data that matches all of the following criteria:

1) data concerning private or public bodies.

2) data used for communications between these bodies

3) data used for administrative and accountancy purposes

Therefore, as an example, invoicing data shared by companies for administrative purposes.

We would like to underline that EU Directive 46/95/EC applies only to data regarding individual persons and that in 1996 the Italian legislator made a different choice.

 

 

CVs of job seekers

CVs sent of their own free will by job seekers would no longer need to be given the information by data controllers. The information even in an unwritten form will only be required on the occasion of a first contact after CVs have been sent. In such cases, the consent of CVs senders would be no longer necessary, even if the CVs contained sensitive data.

 

 

Consent in relationships between companies

The consent to data communications between companies (in specific areas) for administrative and accountancy purposes will no longer be necessary.

 

 

Security measures

Data controllers who handle as sensitive and judiciary data only that regarding their employees and collaborators and their partners and relatives will no longer be obliged to compile the document which is a particular security measure provided for by Italian law. Instead, they can present self-certification.

However we must bear in mind that self-certification also involves relevant consequences regarding responsibility according to the Criminal Code.

The Italian Privacy Authority could further simplify matters on the issue of security.

Administrative accountancy aims are precisely defined in new art. 34, sub. 1 ter.

 

Unwanted marketing communications

In the same way as for marketing calls, consent will no longer be necessary and the opt-out system with its register of opposition will also be extended to ordinary mail communications.

 

 

posted by admin on gennaio 2, 2011

Events

(No comments)

Law & the Internet, the international version of the Finocchiaro Law Firm’s blog is now available.

Our new venture aims to offer an update about Italian laws dealing with the Internet and new technologies to everyone who wishes to keep up with these developments in English. The need for our new English language blog is a natural consequence of a considerable increase in activity on the international scene by Giusella Finocchiaro and her law firm.

The most frequently debated topics on the new blog will be: Privacy, Data Protection, Electronic Commerce, Electronic Signatures and Intellectual Property Rights.

Law & the Internet is one of the first extensive sources of information in English on Internet law in Italy.

The Finocchiaro Law Firm aims to offer new source materials through this new service in order to make its own personal contribution to the international debate in this field.

 

  • Recent comments

  • Popular posts

    • None found