Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by Maria Chiara Meneghetti on giugno 1, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.

What does “transfer of personal data” mean?

The GDPR does not give a precise definition of what “transfer” means. Reading the dispositions that regulate transfers of personal data (Arts. 44-50 of the GDPR), it can be inferred that by “transfer” the GDPR indicates a movement of personal data from a controller or processor of personal data inside the EU, to a controller or processor outside the EU.

The GDPR broadens the scope of application of the regulation. Firstly, it also includes those cases when personal data is transferred to an international organisation. Secondly, the GDPR requires the rules on transfer to be applied not only to “direct” data transfers from a European to a non-European country, but also to successive transfers, namely when the subject who the data have initially been transferred to, subsequently transfers them to other subjects.

What is the procedure a controller or a processor must follow when he/she wishes to transfer personal data?

The data controller or data processor may carry out a transfer of personal data, only when they fulfil one of the conditions provided for in articles 45-49 of the GDPR.

What “mechanisms” may be used?

The ”mechanisms” listed in articles 45-49, which controllers and processors may use to transfer personal data, partially cover the list of conditions already provided for by the Italian Privacy Code or produced by Working Party Art. 29. By way of example, a transfer will be legitimate in cases in which; the third country personal data are being transferred to has obtained an adequacy decision from the European Commission; it is conditional upon appropriate safeguards, such as the use of standard contractual clauses (SCCs) between sender and receiver, or, for intra-group transfers, the adoption of binding corporate rules (BCRs) by the group of enterprises; the sender fulfils one of the derogations set out in art. 49 of the GDPR (e.g. he/she has collected the data subject’s consent).

What changes with the GDPR?

On the one hand, the GDPR has made available new “instruments” for data transfers and on the other it lays out the different conditions according to a scale of importance: the adequacy decision becomes the pillar of the new system; controllers or processors will only have to adopt one of the other alternatives offered by the GDPR in its absence.

In the context of appropriate safeguards, binding corporate rules take on their own importance and are regulated in detail in art. 47 of the GDPR, which lists their minimum content. Art. 46, on the other hand, makes changes to the list of the legal grounds which can be used for a transfer, backing up SCCs and BCRs with: the adoption of a “legally binding and enforceable instrument between public authorities or bodies”; signing an approved code of conduct or subscribing to certification mechanism. Moreover, SCCs, which were formerly only valid when adopted by the European Commission, may henceforth also be adopted by a National Control Authority (provided they are then approved by the European Commission or submitted to the consistency mechanism referred to in art. 63 of the GDPR).

Finally, art. 49 specifies the other possible “derogations for specific situations”, which the sender can use in the absence of both an adequacy decision and an appropriate safeguard.

Are already adopted adequacy decisions still valid?

The GDPR specifies that the adequacy decisions adopted on the basis of directive 95/46/CE remain valid until they are modified, substituted or revoked by a European Commission decision, for example, following a periodic four year review required for all adequacy decisions. Therefore, all adequacy decisions adopted up to the present time remain valid for the moment.

Already adopted adequacy decisions may be consulted HERE.

What SCCs can currently be used?

With regard to standard contractual clauses, the European Commission has so far issued model clauses for data transfers from data controllers in the EU to data controllers established outside the EU and it has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU, which can be found HERE.

In addition, a model SCC for the transfer of data from a processor established in the EU to another processor established in a third country is currently under preparation.




posted by Laura Greco on maggio 2, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.

In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.

What is the record of processing activities?

This is a new obligation introduced by the GDPR which requires a full documentation of all processing operations carried out under the authority of the controller and the processor.

Whose obligation is it to keep records?

Novel in the GDPR is that the controller and the processor are both independently responsible for drafting and keeping records. The controller’s record and the processor’s will be two distinct documents, each one with specific content.

Compiling the record could be delegated to the Data Protection Officer (DPO), however, without in this way transferring responsibility for compliance with this obligation from the controller and the processor. The controller and processor could also ask for assistance from department managers in their organisations, who would probably be more familiar with the processing activities carried out in their departments and could more easily provide specific, detailed information about such processing.

Are there any waivers or exceptions in the GDPR?

The new Regulation provides that the duty of maintaining a record of processing activities does not apply to enterprises or organisations employing fewer than 250 persons. However, in order for this exemption to be valid, the processing carried out must not be likely to result in a risk to the rights and freedoms of data subjects, it must be occasional and it must not include special categories of data (e.g. health data, biometric data) or personal data relating to criminal convictions and offences.

What information should be contained in the record?

The minimum content of information changes depending on whether the document concerns the controller’s processing activities or those of the processor.

In the first case, the controller shall indicate: a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; b) the purposes of the processing; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be disclosed e) where applicable, the identification of the third country or the international organisation to which data are transferred, including the documentation of suitable safeguards; f) where possible, the envisaged time limits for erasure of the different categories of data; g) where possible, a general description of the technical and organisational security measures.

In the second case, the processor shall specify only: a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer; b) the categories of processing carried out on behalf of each controller; c) where applicable, the identification of the third country or the international organisation to which data are transferred, including the documentation of suitable safeguards; d) where possible, a general description of the technical and organisational security measures.

Can the record be drafted and kept in electronic form?

The GDPR provides that the records of processing activities must be in writing including in electronic form. Therefore, it will also be possible to draft and keep records directly on IT equipment, for example by creating an Excel file.

Are there other obligations which go with the record?

It is not sufficient to simply draft the processing record in order to be fully compliant with the GDPR. It should be periodically revised and updated, in particular specifying new processing activities and/or removing those which have been terminated, namely the record must be kept up-to-date to reflect an organisation’s present processing activities.

In addition, the controller and the processor (where applicable, their representative) are under the obligation to make the record available to the supervisory authority on request.



posted by Maria Chiara Meneghetti on aprile 23, 2018

GDPR Regulation EU 2016/679, Privacy

Commenti disabilitati

The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation. In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.

What are the rights of the data subject?

The data subject, namely the natural person whose personal data are processed, has a number of rights, which he/she can exercise with the data controller at any time and which allow him/her to keep control of the data provided and their use.

These rights, many of which were already provided for by the Italian privacy Code, are for instance: the right of access (which gives data subjects the right to obtain confirmation of whether the controller is processing their personal data), the right of rectification (on the basis of which data subjects are entitled to require a controller to rectify any errors in their personal data without undue delay); the right to object to processing (on the basis of which data subjects have the right to object to continued data processing under specific circumstances).

What changes with the GDPR?

The GDPR expands the list of rights by adding to it: the right to erasure (the right to be forgotten); the right to restriction of processing and the right to data portability.

From the data controller’s point of view, he/she remains responsible for facilitating data subjects’ exercise of their rights (by adopting all appropriate technical and organisational measures) and for answering their requests (with the possible collaboration of the data processor).

In particular, for all rights the GDPR sets the deadline for answering data subjects’ requests at one month, which can be extended up to 3 months, in consideration of the complexity and number of requests submitted. At any rate, the data controller must also give a written answer to the data subject in cases of denial within one month of the request. The answer, usually given in written form, must be concise, transparent and written in plain and clear language.

What is the right to erasure (the right to be forgotten)?

The right to be forgotten states that data subjects have the right to require data controllers to erase the personal data they hold.

However, the right to be forgotten cannot be exercised in every circumstance, but only when one of the specific conditions listed in art. 17 of the GDPR occurs. The conditions are those in which:

1) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

2) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing

3) he/she objects to the processing and there are no overriding legitimate grounds for the processing

4) the personal data have been unlawfully processed;

5) the personal data have to be erased for compliance with a legal obligation (in Union or Member State law to which the controller is subject);

6) the personal data have been collected in relation to the offer of information society services, when the data subject was still a child (therefore he/she was not fully aware of the risks deriving from the processing of his/her data).

In addition, with the obligation to comply with the data subject’s request for erasure, in one of the above mentioned situations, the data controller must fulfil another obligation. In digital environments, the circulation and spread of information have a significantly wider scope compared to their circulation in the physical world. For this reason the GDPR has provided that where the controller has made the personal data public (e.g. on a website), he/she shall (take reasonable steps to) inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The only limits to the right to be forgotten are considered in cases where the right of the data subject to obtain the erasure of his/her personal data are overridden by higher interests. For instance to the extent that data processing is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation, or it is necessary for the performance of a task carried out in the public interest. The right to be forgotten may also be denied in cases where the storage of data is necessary for the establishment, exercise or defence of legal claims.

What is the right to restriction of processing?

The exercise by the data subject of this right, in fact allows him/her to “restrict” the processing of his/her data in some situations and provides him/her with an alternative to requiring data to be erased, namely, the data subject requests the temporary suspension of processing.

The right to obtain a restriction of processing can be exercised when:

1) the data subject disputes the accuracy of his/her personal data and so requests restriction of their utilisation for a period in which the data controller will be able to verify their accuracy;

2) the processing is unlawful, but the data subject objects to erasure of the personal data and requests restriction of their use instead;

3) the controller no longer has need for the personal data for the purposes of processing, but the data subject requires them to establish, exercise or defend legal claims;

4) the data subject has objected to processing and the restriction of processing is implemented pending verification of whether the legitimate grounds of the controller override those of the data subject.

What is the right to data portability?

The right to data portability is a right with a double content. Firstly, it consists in the right of the data subject to receive the data in a structured, commonly used and machine-readable form. There is no express indication of the type of format to be used, but it is evident that the objective is that of assuring that the data are provided in an “interoperable” format, which allows easy re-use across a variety of devices and services.

In addition, the right to data portability represents the right to transmit (but also to obtain the direct transmission of) those data to another data controller (“when technically feasible”), without the “original” controller being able to hinder this. In other words data controllers must provide the conditions for data subjects to be able to easily and without hindrance transfer their personal data from one IT system to another.

The right to data portability cannot be exercised unconditionally either, but only when the personal data fulfil a number of conditions. In particular they must be:

1) personal data provided to a controller clearly referring to the data subject (obviously anonymous data are excluded);

2) processed based on the data subject’s previous consent or for the performance of a contract, to which the data subject is party;

3) processed by automated means;

4) provided to a controller by the data subject. This condition needs to be interpreted broadly, so that the right is not limited to the data knowingly and actively provided by the data subject (e.g. data collected from a subscription form), but also covers data provided by the use of a service or device (e.g. location data, traffic data or the data subject’s search history).

It is vital to point out that, in contrast, the right to data portability cannot be exercised on so-called derived or inferred data, namely the product of analysis carried out by the data controller based on the data provided by the data subject. These are data “created” by the data controller, which he/she keeps (e.g. the outcome of a data subject’s health assessment or a profile created in the context of risk management (e.g. to assign a credit score) or of complying with anti-money laundering (or other financial crime) legislation.



The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.

What is meant by consent to the processing of personal data?

According to the new definition in the GDPR, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (art. 4, par. 1, n. 11). Analysis of the definition shows that consent represents an indication of will, expressed in affirmative and unambiguous terms. Therefore, it can only be a statement or a positive action on the part of the data subject and not, conversely, merely passive conduct, such as hypothetical silent consent, for example. Moreover, in the same way as the Italian privacy Code, the GDPR requires consent not only to be unambiguous but also: free (given in the absence of constrictions); specific (one for each processing purpose) and informed (the data subject must receive an appropriate privacy notice on the processing of his/her personal data).

Who must ask for consent for the processing of personal data?

The data controller or, if specifically instructed, the data processor must have the consent of the data subject when they want to process his/her data. The GDPR places the actual burden of proof on the data controller. Art. 7, par. 1 specifies that the data controller shall be able to demonstrate that the data subject has consented to the processing of his/her personal data.

When is consent for personal data necessary?

Consent by the data subject is one of the many legal bases provided by the GDPR alternately, to legitimise the processing of personal data carried out by the controller. This means that consent must be obtained whenever one of the alternative legal bases listed in art. 6 of the GDPR cannot be used. These are essentially “equivalent circumstances” to consent, in the presence of which personal data may be processed even without consent from the data subject.

What are the equivalent circumstances to consent by the data subject?

In addition to consent, art. 6 of the GDPR lists five different legal bases which mainly take up the alternatives already provided for by the Italian privacy Code. Processing will be lawful even in the absence of consent if: a) it is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; b) it is necessary for compliance with a legal obligation to which the controller is subject; c) it is necessary in order to protect the vital interests of the data subject or of another natural person; d) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In the last case, it will be the duty and responsibility of the controller to balance his/her legitimate interest with the rights of data subjects and justify that his/her interest overrides the interests of the various data subjects.

What might the legitimate interests of the controller be?

Recitals 47, 48 and 49 of the GDPR list examples of activities that might be considered the legitimate interests of a data controller and which override those of data subjects.

Among these is fraud prevention and direct marketing (which occurs when the controller uses the contact data the data subject has given him/her in the context of the sale of a product or a service without asking for the data subject’s consent and provided that the data subject, adequately informed, had not refused it). The processing of data for internal administrative purposes or in order to assure the security of networks and information may also be considered to be covered by legitimate interest.

Are there particular conditions for the processing of “sensitive” data (so called special categories of data)?

For the processing of special categories of data (sensitive data), the general rule is that of explicit consent (explicit consent is also applied when the data controller wants to adopt automatic decision-making processes, including profiling, which have legal consequences for data subjects).

In this case, the GDPR also provides a series of “equivalent circumstances” which waive the need to collect consent (art. 9). Some of these are particularly innovative, among which when processing is necessary for: the purposes of complying with obligations of labour law, social security and social care; the purposes of preventive or occupational medicine; for reasons of public interest in the field of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

What is new with regard to child’s consent?

The GDPR inserts an ad hoc provision for child’s consent, which however only refers to the offer of information society services.

Considering the wide variety of content and digital services to which children have access thanks to the use of the Internet, the GDPR wishes to strengthen the protection of children from the dangers of the Internet. Therefore, Art. 8 specifies that consent given by a child for the processing of his/her personal data in the context of a service offered by an information society, is only lawful when the child is at least 16 years old (Member States may provide by law for a lower age provided that it is not below13 years).

Where the child is below the age of 16, processing will be lawful only if and to the extent that consent is given or authorised by the parents or holder of parental responsibility over the child.

What are the conditions for the collection of consent?

In light of the definition of consent (a free, specific, informed and unambiguous indication of will), the GDPR specifies the conditions controllers must fulfill in order to guarantee the collection of legitimate consent.

Consent can be given with a written or an oral statement.

When consent is given in writing, in the context of a declaration which also includes other matters, consent to data processing must be presented in a manner which is clearly distinguishable from the other matters.

The formulation of consent must be in an intelligible and easily accessible form, using clear and plain language.

Moreover, the data controller must take into consideration that consent given by the data subject can be withdrawn at any time as easily as it was given.

How to create a GDPR compliant consent form?

To briefly summarise: in order to create a GDPR compliant consent form:

1) this must be a clear and unambiguous act: it can be collected in writing including by electronic means, or with an oral statement;

1.1) this implies that consent is not constituted by: silence, inactivity or pre-ticked boxes.

1.2) on the contrary, consent can be obtained through: specific boxes to tick (not pre-ticked) when visiting an Internet website; choosing technical settings for information society services or another statement or conduct which clearly indicates the data subject’s acceptance of the proposed processing of his/her personal data.

2) must be formulated in clear, plain and intelligible language;

3) there must be separate consents for each processing purpose (marketing and profiling are distinct purposes);

4) when a child is involved: the age of the child must be verified or parental consent must be asked for;

5) for special categories of personal data, consent must be explicit;

6) data controllers must take appropriate measures to demonstrate that the data subject has consented to processing of his/her personal data and also to inform the data subject of his/her right to withdraw his/her consent at any time and that it is as easy to withdraw as to give consent.



The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.

What is a privacy notice?
A factsheet known as a privacy notice refers to that set of information which must be provided to data subjects (namely natural persons whose data are processed) to allow them to understand who is collecting their personal data, what will be done with them, how, by whom and who they will be shared with.

Who is responsible for providing the privacy notice?
The privacy notice must be provided by the data controller or the data processor, when specifically instructed to do so by the data controller.

What are the contents of a privacy notice?
The GDPR provides a thorough description of the contents of the privacy notice in art. 13, par. 1 and art. 14, par. 1.

Some of these contents were already provided for in the Italian Privacy Code, among which are for example the indication of: a) contact data of the data controller and of any data processor when used; b) the purposes of processing (e.g. entering into contracts, marketing, profiling, etc.); c) whether the provision of personal data is mandatory or not and the consequences (should such mandatory data not be provided); d) the rights of data subjects.

Besides this information, the GDPR provides further relevant information in the privacy notice which the controller is required to provide to data subjects in order to proceed with processing their data, such as: a) contact data for the Data Protection Officer when appointed; b) the legal basis for the processing (e.g. consent, public interest, performance of contracts and so on) and in cases where this constitutes legitimate interest for the controller, specify its contents; c) whether the data will be transferred to countries outside the EU and which instrument the transfer will be carried out with (e.g. adequacy decision; BCR, standard contractual clauses); d) the period of time for which the data will be stored or the criteria used to determine it; e) the existence of automated decision-making (including profiling) and the logic it is based on.

When must the privacy notice be given?
The privacy notice must be provided to data subjects at the moment in which their data are collected, therefore before the start of any kind of processing. The GDPR only exempts data controllers from the obligation of providing privacy notices in cases in which data subjects already have all the information at their disposal (art. 13, par. 4).

Conversely, however, in cases where the data have not been obtained from the data subject, data controllers must provide data subjects with the above listed information (in addition specifying the source of the data) within a month of collecting them or at any rate from the moment of their communication (to a third party or to the data subjects themselves).The GDPR also provides for certain circumstances for exemption in this situation (art. 14, par. 5) which refer to those cases in which: a) data subjects are already in possession of all relevant information; b) the provision of such information would prove impossible or would involve excessive effort; c) the collection or disclosure is laid down by law; d) the data must remain confidential subject to an obligation of professional secrecy. It is the duty and therefore, the responsibility of the data controller to assess whether there is one of the above-listed circumstances.
In addition data subjects must be provided with a new privacy notice should the data controller decide to process the collected data for different purposes from those originally communicated.

How must the privacy notice be provided?
In this case too the GDPR gives a clearer definition of the procedure for formulating and providing the privacy notice.
The privacy notice is generally provided in writing or by other means, which can also be electronic (where appropriate). Only in cases when the data subject requires it, may the privacy notice be provided orally.
With regard to its formulation, the GDPR specifies that the privacy notice must be: concise, transparent, intelligible and easily accessible. Essentially, it must be formulated in clear and plain language, in particular when the information is specifically addressed to a child (art. 12, par. 1).
In addition, with the precise aim of guaranteeing the highest level of transparency and to make it easily legible, the GDPR clearly explains that the information may be provided in combination with standardised icons to give an intuitive and easily understandable overview of the processing procedure.

posted by admin on dicembre 15, 2017


(No comments)

The European Parliament has endorsed the opening of negotiations between the Parliament itself and the Council concerning the procedure for adopting the proposal for the Regulation on Privacy and Electronic Communications.

The current directive on e-Privacy was last reviewed in 2009 and the proposal for review, which was submitted on the 10th January 2017, replaces this directive with a Regulation which complements and particularises the European framework on data protection bringing it into line with the General Data Protection Regulation (“GDPR”) which will apply from 25th May 2018.

The Regulation on Privacy and Electronic Communications submitted by the Commission, will increase the protection of people’s private life and open up new opportunities for business. The measures presented aim at revising current rules, extending the scope to all communication service providers. The rules on privacy will now also apply to new operators who provide electronic communication services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber. The current e-Privacy Directive, which now only applies to traditional communication service providers, will be updated.

The objective is to increase trust in and the security of the Digital Single Market striking the right balance between a high level of protection for consumers and the opportunity for businesses to innovate. In addition, the proposal provides that personal data processing carried out by European institutions and bodies will ensure the same level of protection as that guaranteed by single Member States, as laid down in the General Data Protection Regulation (GDPR) and it defines a strategic approach to questions regarding the cross-border transfer of personal data.



posted by Laura Greco on maggio 15, 2017


(No comments)

The Italian Court of Cassation has recently been called on to deal with the issue of whether payment descriptions for bank transfers qualify as sensitive data, in cases in which they specify indemnity payments for illness or disability using the wording “allowance ex L. 210/1992”, (the law which grants allowances to parties who have suffered irreversible complications due to mandatory vaccination and blood transfusions, or in cases of decease, to their families).

The Supreme Court judges have expressed conflicting decisions in several such cases. In all the examined cases, the matter concerned the relations between the Region, which issues the allowance and authorizes the bank transfer, and the ill or disabled party’s bank, which is the recipient of the allowance on behalf of its current account holder.

In the case of the first decision dating from 2014 (judgement n. 10947 of 19th May 2014), the Court considered the payment description, which quoted the above-mentioned legislative references, as sensitive data and thus determined that both the Region and the bank had unlawfully processed personal data since they had not adopted security measures for the transmission and dissemination of said data, such as encryption techniques and non-identifiable codes, as provided for by Art. 22, 6° par. of the Personal Data Protection Code.

In the second decision (judgement n. 10280 of 20th May 2015), which is clearer and better developed than the previous one, the Supreme Court judges overturned their first approach and followed a quite different decision-making process. Firstly, they rejected the concept that payment descriptions for allowances filled out in such a way constituted sensitive data, as the law quoted provided that the recipients of these allowances could either be the parties directly affected or otherwise their families. Since the payment of the allowance did not depend on the illness of the party who actually received it, the judges concluded that the information was not sufficient to reveal the recipient’s state of health and, therefore, did not constitute sensitive data.

Secondly, according to the Supreme Court, it was not a question of the Region rendering the data transferred to the bank public, as this would have implied – in conformity with Art. 4, lett. m) of the Code – disclosure of the data to unspecified parties, whereas in this case the disclosure was only made to the bank of the current account holder who was the beneficiary of the allowance.

Furthermore, the judges considered that references to Art. 22, 6° par. of the Code were groundless, since, as correctly quoted, the adoption of encryption techniques is only required in specific cases where the data originate from directories or registries and the aim is to manage and consult them. Neither could the bank be considered to have the responsibility for adopting these measures for three different reasons: firstly, the provision is only applicable to public bodies; secondly, private entities are only obliged to adopt encryption measures in relation to sensitive data which would reveal a state of health and were processed with electronic systems, both of which conditions are missing in the present case; finally, communicating to a client of the bank’s his/her personal data does not constitute processing of personal data.

Finally, in the opinion of the Court, the role of the bank was that of the current account holder’s representative and it received the payment from the Region on his/her behalf: thus, the payment was to be considered as being directly effected by the debtor (the Region) to the creditor (the recipient of the allowance). Therefore, the Supreme Court considered both the Region’s and the bank’s conduct to be within the law and acknowledged there had been no illegal processing of personal data.

This question has recently once again been deliberated by the 1st Civil Division of the Court of Cassation, which has issued two interlocutory orders (no. 3455 and no. 3456 registered on 9th February 2017) delegating the “Sezioni Unite” (the Joint Divisions), the task of devising a solution to this conflict of case law. On this occasion the Supreme Court has abstained from expressing its own opinion one way or the other with regard to the different interpretations of case law regarding this issue, and has simply commented on the nature of payment descriptions as “sensitive data”. The Court has pointed out that, even if payment can be made both to the family and the ill or disabled party, only the latter would receive payment in instalments (whereas family would receive a lump sum). This particular method of payment would clearly identify the recipient of the payment as the victim of illness or disability and for this reason the indication of a payment in instalments would constitute sensitive data.

We will have to wait to see how the Joint Divisions will solve this conflict of case law we have just described and in particular whether they opt for a broad or restrictive interpretation of the concept of sensitive data.



posted by admin on marzo 31, 2017

computer crimes

(No comments)

The Italian DPA has imposed fines totalling over 11 million euros on five money transfer companies which had unlawfully processed more than one thousand users’ personal data in order to bypass anti money-laundering regulations.

These companies collected and transferred to China sums of money belonging to Chinese businessmen, violating both the anti money-laundering law and the data protection law. By using the technique of structuring (i.e. the technique of breaking up large amounts of money into several smaller transactions below the anti money-laundering legal threshold), companies allocated money transfers to more than 1,000 customers, who were completely unaware of these transactions, by illegally using their data.

These serious violations came to light during an investigation by the Procura di Roma (the Rome Public Prosecutor’s Office). The Currency Police Unit of the Italian Financial Police, authorised by the Judicial Authorities, ascertained that the names of the people these money transfers were registered to did not correspond to the real senders. In addition, in certain cases the transaction forms turned out not even to have been signed or to have been filled out by people who were either deceased or non-existent. The personal data used were taken from photocopies of id documents, which were stored in specific folders to be used when needed. Money transfers were carried out within seconds of each other and involved sums of money which were just under the legal threshold and addressed to the same recipient.

Due to this infringement of the Data Protection Law committed by the companies, the Italian Data Protection Authority was obliged to intervene and, in view of the seriousness of the violations, the number of parties involved whose personal data had been processed without their consent and the importance (and size) of the database, has imposed the following fines: 5,880,000 euros for the multinational corporation and fines of 1,590,000 euros, 1,430,000 euros, 1,260,000 euros and 850,000 euros respectively for the other four companies, for a total of over 11 million euros.



posted by admin on marzo 1, 2017


(No comments)

ratingBlackMirrorThe Italian Data Protection Authority has established that a “reputation rating” project violates the provisions of the Personal Data Protection Code and impacts negatively on human dignity.

The project, which was devised by an organisation structured as an association and a company appointed for its management, is based on a web platform and a database which gathers vast amounts of personal data either uploaded by users or obtained from the web, on various types of individual – from job candidates to business people, freelance professionals and private individuals. By means of a specific algorithm the system would then be able to objectively measure people’s reliability in the economic and professional fields, by assigning a score (“rating”) to their online reputation.

The DPA observed that the system would create significant problems in relation to privacy due to the confidential nature of the information, the pervasive impact on the interested parties and the method of processing. Essentially, the system implies the massive collection – also online – of information open to significantly impacting on the economic and social representation of thousands of people. Such processed reputation ratings might have serious repercussions on the lives of those who had been rated, since it might influence other people’s choices as well as jeopardising access for rated parties to services and benefits.

The DPA also expressed a number of doubts about the objectivity claimed for the ratings, stressing that the company could not prove the effectiveness of the algorithm used to regulate the settings of the “ratings”, which would be calculated without rated parties having any chance to freely give their consent. Given the complexity and sensitivity of measuring situations and variables which are not easy to classify, any rating might be based on incomplete or flawed documents and certificates with the consequent risk of creating inaccurate profiles which do not correspond to the real social identity of the rated parties.

Moreover, the DPA was concerned about the unreliability of allowing an automated system to decide upon such complex and sensitive issues relating to individuals’ reputations.

The system’s security measures which are principally based on “weak” authentication systems (user ids and passwords) and on encryption techniques only for judicial data, were found to be totally inadequate in the DPA’s opinion. Finally, further critical issues were detected in the time period for data storage and privacy policies for interested parties.

Therefore, in conclusion, the DPA has banned all present and future processing operations related to the reputation rating project.



posted by admin on novembre 15, 2016

computer crimes

(No comments)

This is a summary of the interview given by Prof. Giusella Finocchiaro to Vanity Fair, in which she was invited to explain certain legal aspects underlying some particular recent news items regarding online privacy.

Social media allow a choice of the level of visibility for each post published, however for uses such as that of videos illegally circulated online judicial measures are required. Giusella Finocchiaro, the first attorney at law in Italy to teach Internet law, explains how.

Two cases recently appeared in the news in the space of just 24 hours. Firstly, the suicide of a 31-year-old woman, whose hard core videotape had been circulating illegally on the web for more than a year and the case of a 17-year-old girl, whose girl friends recorded and posted a video of her while she was being raped in a disco. Both of these cases raise the question of what the limits of privacy on the Internet are. The head of the Italian Data Protection Authority, Antonello Soro, spoke of « the risk of being pilloried that the Net exposes us to, given the lack of adequate user awareness of the nature of its unlimited space and of the damaging effects that violent communication or the ferocity of ruthless mockery on the part of others may cause».

Lack of legislation was not in question Soro did not speak of a lack of legislation but rather of the need for «appropriate response procedures on the part of the different platforms» and also of another fundamental need: namely «to cultivate respect among people on the Internet». Investment in digital education is fundamental also according to Giusella Finocchiaro, (attorney at law and Professor of Private and Internet law at the University of Bologna, the first chair for this subject in Italy, as laws exist and the legal course followed by Tiziana Cantone (the woman who committed suicide) was the correct one, but timescales remain lengthy and not all people know how to protect themselves.



  • Recent comments

  • Popular posts

    • None found