Monthly Archives: October 2023

231 organizational models and code of conduct: do companies need both?

Legal news, ,

Many Italian companies have equipped themselves with an organizational model under legislative decree 231 of 2001, as well as with a code of conduct. Are both needed and what is their relationship?

Light on such question has been shed by the Italian Supreme Court with a recent decision published on August 1, 2023, within a dispute where a third party claimed to have actionable rights on the basis of the provisions of the code of conduct.

The Court, while defining the code of conduct as an instrument of “preventive control of the correctness of the conduct of persons operating within and on behalf of the entity”, rejected the plaintiff’s claims on the sole basis of the interpretation of the provisions of the code of conduct. It added that “in companies, the Code of Conduct constitutes the necessary completion of the organization, management and control model of the entity, as a corporate document aimed at identifying, with reference to the ethics and values that inspire the business, the rights, duties and responsibilities of all those who participate in the business (employees and, where appropriate, external parties that have business relations with the companies)”.

In light of the above, it has been clearly confirmed as follows:

  • the code of conduct complements the 231 organizational model;
  • the provisions of the code of conduct must be interpreted considering the 231 organizational model; and
  • the provisions of the code of ethics apply to all subjects falling within the scope of application of the 231 organizational model.

Therefore, the 231 organizational model and the code of ethics have a strong connection, they both have to be adopted and interpreted in light of each other.

AI and Healthcare: Recommendations by the Italian Data Protection Authority

Legal news, , , , , ,

The use of Artificial Intelligence in healthcare continues to grow and it is poised to reach 188 billion by 2030. It also raises many concerns.

The Italian data protection authority (Garante) has recently issued recommendations based on 10 points, which can be found here.

The Garante particularly insists on:

  1. Human in the loop: a human being must be involved in the control, validation or change of the automatic decision;
  2. No algorithmic discrimination: trustworthy AI systems should reduce mistakes and avoid discrimination due to inaccurate processing of health data;
  3. Data quality: health data must be correct and updated. Representation of interested subjects must correctly reflect the population.
  4. Transparency: the interested subject must be able to know the decisional processes based on automated processes and must receive information on the logic adopted so as to be able to understand it (easier said than done!). The Garante also requires that at least an excerpt of the Data Protection Impact Assessment is published.

Other recommendations are not surprising for anyone familiar with the GDPR:

  • Profiling and decisions based on automated processes must be expressly allowed by Member State’s laws.
  • The principles of privacy by design and privacy by default obviously play a big role in healthcare AI systems.
  • Roles of controller and processor must be correctly allocated: in particular, the public administration must ensure that external entities processing data are appointed as data processors.
  • A Data Protection Impact Assessment must be carried out and any risks must be evaluated.
  • Integrity, security and confidentiality of data must be ensured.

Striving for genuine transparency in connection with very complex and rapidly evolving algorythms is not going to be an easy task for the data controller. Similarly, understanding how AI works in a healthcare setting is not going to be simple for patients.

Italy – At Last – Implemented the Registry of UBOs (Ultimate Beneficial Owners)

Legal news, , , , , , , , , , , ,

All legal entities established in Italy are affected by the new regulation, which provides for a December 11, 2023 deadline.

The register of ultimate beneficial owners has been established and has become
operational also in Italy, after several extensions and delays. In fact, on October 9,
2023, the decree certifying the operation of the system for the communication of
data and information on beneficial ownership was published in the Official Gazette.

This last decree, which completes the implementation of anti-money laundering
legislation, triggers the obligation for all companies, private legal entities
(associations, foundations and other institutions of a private nature with legal
personality) and trusts to communicate data and information relating to their
beneficial ownership.

The communication on beneficial ownership must be made to the Companies’
Registry at the territorially competent Chamber of Commerce by and no later than
December 11, 2023, using exclusively electronic methods. With regard to
companies, the communication must be digitally signed by a director, without the
possibility to delegate such task. Therefore, directors who do not yet have a digital
signature device will need to obtain one.

Subsequently, legal entities shall notify any change in their beneficial ownership
within 30 days of the occurrence of the change. In addition, on an annual basis (and
in any case within 12 months from the first communication), the beneficial
ownership shall be confirmed: for companies this may take place on the occasion
of the annual filing of the financial statements.

For more information on the new requirements, check out our Client Alert here or reach out to us directly.

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.