The New European Privacy Regulation 2016/679

The new European Privacy Regulation 2016/679 (GDRP) is in force since May 24th, 2016 and will be mandatory in all Member States of the European Union as of May 25th, 2018.

By issuing said provision the European Union has intended to unify the Privacy regulations of the Member States with the purpose to ensure a greater and specific protection to the European Citizens and their personal data.

The Regulation introduces some important innovations which remarkably modify the previous legislation in force in Italy (d.lgs. 196/2003), requiring the companies and the public authorities to revise their own internal policies about data processing, concerning both the employees and the single users.

Among the most remarkable innovations introduced by the EU legislator, the significant increase of the previous sanction system is particularly important, as it requires all companies to adequately and effectively comply with the Regulation. Some big internet companies have already noticed the change of course about the protection of personal data and they have stated they are working to be ready for 2018.

The compliance with the Regulation will be an essential requirement to maintain business relations with Public Authorities and large multinational groups, to operate on the market of communication, marketing, e-commerce and on all the other fields of the new economy in general.

The main innovations introduced by the new UE Regulation may be resumed as follows:

FUNDAMENTAL PRINCIPLES OF THE REGULATION

The “Privacy by design” principle establishes the integration of the personal data protection from the beginning of the design of the company processes and the related supporting IT applications. The “Privacy by default” principle establishes that the companies shall have to process by default only the personal data to the extent, and for such a period, as strictly necessary for the processing purposes, since they have to ensure from the beginning of the design of the data processing system that there will be no data collection excess. Moreover, the Accountability principle established that all the subjects who process the data shall have to keep records of all the data processing carried out, with sanctions that may be applied regardless of the effective use of the data, as it is deemed sufficient not to keep records of the data processing in order to incur into the sanctions.

CONTENTS OF THE PRIVACY POLICY

One of the novelties regards the obligation to use a simple and transparent language, to inform the respective persons about the details of the Data Controller and of the Data Processors, as well as of the Data Protection Officer (if any) and to communicate the reasons and the timing of the data processing.

RIGHTS OF THE DATA SUBJECTS

The data subjects shall have to be informed about their rights, including in particular: the “right to be forgotten in the digital environment”, previously established in case-law and related to the persons’ right to obtain the deletion of their personal data; the right to personal data portability by the users, who shall consequently be free to transfer their personal data to other subjects; the right not to be subject to a decision based solely on automated processing, the existence of which, if any, shall have to be disclosed to the persons;

CONSENT TO THE USE OF PERSONAL DATA

Prior to the beginning of the data processing, the data subjects shall have to give an uncompromising and explicit consent to the processing of their personal data, since the consent may not be granted tacitly.

RECORDS OF PROCESSING ACTIVITIES

In substitution for the current obligation to previously notify the processing activities to the Supervisory Authority, the Data Controllers and their Representatives shall have to keep a record of the processing activities, where all the aspects related to the single processing activities shall have to be registered.

DATA BREACH

The data breaches shall have to be promptly discovered and reported, depending on the circumstances, to the Control Authorities and/or to the single data subjects;

DATA PROTECTION IMPACT ASSESSMENT

Where a type of processing is likely to result in a high risk for the rights and freedom of natural persons, it is necessary to carry out an assessment of the impact of said processing operations concerning the protection of the relating personal data;

SENSITIVE DATA

Particular caution shall have to be used for processing the so called “sensitive data” (i.e. the data relating to the religious beliefs, political opinions, trade-union membership, health or sexual orientation, etc.) by taking additional safety measures;

INSTITUTION OF THE DATA PROTECTION OFFICER (DPO)

For the following categories of subjects who carry out data processing it is mandatory to appoint a DPO, who can carry out the task to create a connection between the Control Authority and the private individuals and has advisory and warranty functions:

  • The Public Authorities or bodies in general;
  • The Controllers or the Processors whose core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • The Controllers or the Processors whose core activities consist of processing operations, on a large scale, of sensitive data, relating to health or sexual orientation, genetic, judicial or biometric data.

Said categories of subjects shall be obliged to appoint a DPO, while for the other types of companies said figure shall be discretionary.

In light of the above mentioned important innovations, it shall be consequently necessary to modify the Privacy Policy forms, if any, in use and different from the specific requirements of the new UE Regulation, as well as to assess the necessity to change and/or adapt the companies’ privacy policies.