All posts by Marco Bertucci

Italian Government’s Golden Power Reformed: Towards Nationalization of Strategic Sectors? Not exactly.

As announced in our previous blog post, the broadest powers to the Italian government in relation to M&A deals became fully effective as of yesterday.

The extension of the Golden Power regime has been approved together with other emergency measures to face the current COVID19 emergency, including massive injections of liquidity into companies that risk bankruptcy as a consequence of the continuing lockdowns (keep checking our website for the upcoming client alerts).

The declared goal of the new legislation is to protect the national strategic sectors from predatory acquisitions, which may be favored by the current market values, affected by the ongoing emergency.

In light of the European Commission guidelines of March 26, 2020 (providing guidance to the Member States on foreign investments, ahead of the application of EU Regulation 2019/452)  and in line with what is happening in other countries (e.g. Spain, France, Australia, Germany and the United States), the Law Decree of April 8, 2020, introduced:

1. The extension of the Golden Power regime to:

  • supply of critical inputs (including energy or raw materials, as well as food security);
  • access to sensitive information (including personal data) or the ability to control such information;
  • the freedom and pluralism of the media;
  • the financial and insurance sectors.

2. The obligation to notify relevant acquisitions also when the purchaser is a EU entity.

3. The specification of the thresholds triggering notification: for EU companies, a controlling participation (within the meaning of Section 2359 of the Italian Civil Code), while for extra EU companies, a participation of at least 10%.

4. The power of the Government to start on its own the Golden Power procedure, if the relevant entities do not comply with the notification obligations.

The extensions under numbers 1 to 3 above are temporary (the first one until a further decree is adopted and the second and third ones until December 31, 2020), while the one under number 4 has no deadline (so far).

No doubt that the above reform considerably increases State intervention in the economy. One could ask if – in short – the response to the virus would be the nationalization of the strategic sectors. Nevertheless, when asked, the Cabinet Undersecretary Riccardo Fraccaro stressed thatthe intervention must be temporary and urged by an emergency. This is not a nationalization of the entire economy but a public intervention to protect specific areas”.

More Powers to the Government on M&A Deals Announced as a Response to the Italian COVID-19 Outbreak

The Italian Government, through its Cabinet Undersecretary Riccardo Fraccaro, announced that stricter measures – that will impact on the acquisitions of Italian targets -are ready to be enacted within days, as a countermeasure to the feared speculative attacks to Italian businesses operating in strategic sectors.

The measures will be introduced through a reform of the Italian Golden Power regulatory framework.

Effective since 2012 – and very recently amended to face new challenges relating to the introduction of 5G technology – the Italian Golden Power rules essentially provide the Italian Government with the power to impede certain acquisitions and extraordinary transactions to protect Italian’s interests in strategic industries, through a system based on prior mandatory notifications to the Italian Prime Minister’s Office.

The reform announced in the past few days aims at avoiding that, on account of the economic crisis brought by the COVID-19 emergency, speculations and hostile takeovers will harm Italian interests in strategic industries.

The stricter measures announced include:

  • The possibility to exercise the Golden Power also in relation to transactions within the European Union.
  • The introduction of new industries to be considered as strategic, for the purposes of the Golden Power regulatory framework.
  • The possibility for the Italian Government to autonomously intervene and exercise the Golden Power, regardless of any previous notification to the Authorities.

Details and wording of the announced reform are likely to be officially presented and enacted within days, if not hours, and updates will follow (both on our blog and website).

Only then, a first assessment on their potential impact on what is likely to be a troubled market will be possible.

For now, let us just hope that what has been defined by the Italian Cabinet Undersecretary as a “vaccine for the hostile takeover virus” will not cause severe side effects on the Italian M&A market.

Italy’s First Multi-Million GDPR Sanctions

Before last week, the Italian Data Protection Authority (“DPA”) only applied one (modest) GDPR sanction, which placed Italy at the bottom of the lists of EU Countries per number and value of GDPR sanctions applied.

In addition to the great differences in numbers and figures – for example, of soon-to-leave UK (sanctions’ amounts in Euro: Italy 30k vs. UK 315mln+) or Spain (number of sanctions: Italy 1 vs. Spain 43) – it is interesting noting that, until last Friday, the most active European DPAs (UK, France, Germany, Spain) tended to target big players in the private sector (i.e. British Airways, Marriot International, Google), as opposed to Italy’s attention to websites affiliated to a political party and run through the platform named Rousseau.

Last Friday, however, a significant change in such scenario occurred. The Italian DPA issued a press release announcing two GDPR sanctions applied to Eni Gas e Luce, a fully-owned subsidiary of Italy’s State-controlled multinational oil and gas company, Eni S.p.A., for Euro 8.5 and 3 million.

The first sanction of Euro 8.5 million has been imposed for unlawful processing in connection with telemarketing and tele-selling activities. The inspections and inquiries had been carried out by the authorities as a response to several alerts and complaints that followed GDPR D-Day.

Violations included: advertising calls made without consent or despite data subjects’ refusal, absence of technical and organisational measures to take into account the instructions provided by data subjects, excessive data retention periods, obtainment of personal data of possible future customers from third parties which did not obtain consent.

The second sanction of Euro 3 million relates to unsolicited contracts for the supply of electricity and gas. Many individuals complained that they have learned about their new contracts only upon receipt of the termination letter from the previous supplier or of the first electricity bill from Eni Gas e Luce. Complaints included alleged incorrect data and false signatures.

About 7200 consumers have been affected. The Italian DPA also underlined the role of third-party contractors, acting on behalf of Eni Gas e Luce, in perpetrating the violations.

Both decisions are quite significant as, for the very first time, the Italian DPA provides its indications and illustrates its approach in dealing with data processing and violations by large-sized companies operating in the private sector, within the GDPR regulatory framework.

Update: Italian Senate Steps Back on Light Cannabis

Optimism after last week’s news did not last very long.  The Italian Senate just approved its version of the Italian Budget Law for 2020 (still subject to the Italian House of Representatives’ vote) striking out the amendment clarifying that products with THC contents under 0.5% should not be considered as having a doping or psychotropic effect.

This quick turnaround was likely due to the highly political nature of the debate surrounding the whole industry, which may have influenced the Senate’s final decision on light cannabis business and, on a very different field, may as well still impact on the slow progress of the increase of the Italian production of therapeutic cannabis.

 

New Bill May Bring More Clarity for “Light Cannabis” Business

Italy has an uncertain scenario set forth for light cannabis (i.e. with THC levels below 0.2%) shops and businesses, after a recent decision of the Italian Supreme Court, last July.

The decision took a rather strict approach, specifying that, under current legislation (and especially, under Law 242/2016), only certain specific types of products may be considered legal, i.e.:

– food and cosmetics;

– certain semi-finished products, such as fiber (“fibra”), shives (“canapulo”), powders (“polveri”), wood chips (“cippato”), oils (“olii”) or fuels (“carburanti”), for supplies to businesses and artisanal businesses of different fields, including energy;

– material intended for the practice of green manure (“sovescio”);

– organic material intended for bioengineering works or products for bio-building;

– material intended for the phytoremediation to reclaim polluted sites;

– cultivations dedicated to educational and demonstration activities, as well as research carried out by public or private institutions;

– crops used for nursery gardening (“florovivaismo”).

Whatever falls outside the items listed above, even if the content of THC is below 0.2%, may be treated as an illegal drug with all relevant implications, especially under Italian criminal law – unless such products are proven to have no doping or psychotropic effect whatsoever.

It is not difficult to imagine the negative impact of such approach on business operators in Italy, which caused many of them to close, interrupt or suspend their activity, right after having experienced a quite impressive boom, leading to an estimated yearly turnover in 2018 of euro 150 million.

Just yesterday, nevertheless, the Budget Commission of the Italian Senate approved an amendment of the draft Budget Law for 2020 that, according to Senator Matteo Mantero, would clarify in express terms that products with a THC content under 0.5% cannot be considered as having a doping or psychotropic effect and, therefore, should be considered as legal. Of course, this measure will be linked to a specific taxation of all cannabinoid products (0.4 euro per gram of finished product), which is expected to bring benefits to Italy’s budget for 2020.

The specific amendment and the entire draft of the Budget Law for 2020 is still undergoing its approval process. We will keep an eye on it. Stay tuned for updates.

The European Data Protection Board’s Revised Guidelines on the Territorial Scope of GDPR Are Out (With Some Interesting Examples). Check Them Out!

One of many innovations introduced by GDPR is its territorial scope.

In fact, the two main criteria defining the territorial scope of the GDPR – the establishment criterion (Art. 3.1 of GDPR) and the targeting criterion (Art. 3.2 of GDPR) – have been drafted in such a way to avoid easy way outs when it comes to the protection of individuals and their personal data.

Last November, the European Data Protection Board (“EDPB”) published a revised version of its Guidelines 3/2018 on the territorial scope of the GDPR, which provide some interesting remarks and examples on both the establishment and the targeting criteria. We will concentrate on a selection of a few of them.

THE ESTABLISHMENT CRITERION

EDPB suggests a threefold approach in determining whether or not certain processing of personal data falls within the scope of the GDPR on the basis of the establishment criterion.

1) Is there an establishment in the EU?

This is, of course, an answer that must be given having regard to the effective and real exercise of activities through stable arrangements, rather than to other formal circumstances, such as the legal form of a certain entity.

It is worth noting that, on the issue, the EDPB made sure to remind – by making reference to the Weltimmo case – that the threshold to be applied in determining whether or not an arrangement can be deemed as stable can be quite low, for example, when it comes to the provision of online services. Even a single employee may be sufficient to constituting a stable arrangement, if that employee acts with a sufficient degree of stability.

2) Is processing carried out in the context of the activities of the establishment?

The EDPB points out two factors that must be taken into consideration: (i) the relationship between a controller or processor outside the EU and its local establishment in the Union; and (ii) revenue raising in the EU.

3) There is no need that the processing takes place in the EU!

The place of processing is irrelevant, if processing takes place in the context of the activities of the establishment. So is the geographical location of the data subjects in question.

In addition to the threefold approach, the EDPB offers some hints on how the application of the establishment criterion me be affected by the relationship between the controller and the processor. To such regard, the first thing to note is that the relationship between a controller and a processor does not per se trigger the application of GDPR to both. Furthermore, it is more likely that the establishment within the EU of the controller will lead to the application of GDPR to the processor located abroad than vice versa. In fact, on one hand, when a controller subject to GDPR chooses a processor located outside the EU, the processor located outside the EU will become indirectly subject to the obligations imposed by GDPR by virtue of contractual arrangements under Art. 28 of GDPR. On the other hand, unless other factors are at play, the processor’s EU establishment will not per se trigger the application of GDPR to the non-EU controller, because by instructing the EU processor the non-EU controller is not carrying out any processing in the context of the activities of the processor in the EU.

THE TARGETING CRITERION

The first thing to which EDPB draws our attention to is a simple, yet important, fact. Whenever the targeting criterion leads to the application of GDPR to controllers or processors which are not EU-established, such controllers or processor will not benefit from the one-stop shop mechanism, allowing them to interact with only one Lead Supervisory Authority. That is an important factor to be taken into consideration when assessing the opportunity to establish an entity within the EU to offer services or monitor data subjects.

Having said that, the EDPB recommends a twofold approach for the targeting criterion.

1) Are data subjects “in the Union”?

Under the targeting criterion, GDPR will be applied to controllers or processors not established in the EU insofar as processing is related to the offering of goods and services to / monitoring of data subjects in the EU.

With regard to the presence of the data subject in the EU, no reference is made to any formal legal status of the data subject (e.g. residence or citizenship): it is sufficient that data subject are physically located in the EU at the moment of offering  goods or services or at the moment when their behaviors are being monitored.

Nevertheless, that will not be sufficient to extend the application of GDPR to such activities that are only inadvertently or incidentally targeting individuals in the EU. Hence, whenever processing relates to a service offered only outside the EU – which is not withdrawn by individuals entering the EU – the relevant processing will not be subject to GDPR.

2) Offering of goods or service / monitoring of data subjects’ behavior, yes or no?

The first activity triggering the application of the targeting criterion is the offering of goods or services. It is interesting to note, to such regard, how the EDPB recalls the CJEU case law on Council Regulation 44/2001 on jurisdiction. Although underlining some differences, the notion of “directing an activity” can be applied to assess the presence of a goods or services offer by non-EU controllers/processor.

The factors that the EDPB lists, considering them a good indication, especially in combination with one another, of an offer in the UE of goods and services, are taken from the Pammer case and they include:

  • The EU or at least one Member State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The international nature of the activity at issue, such as certain tourist activities;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
  • The description of travel instructions from one or more other EU Member States to the place where the service is provided;
  • The mention of international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
  • The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
  • The data controller offers the delivery of goods in EU Member States.

With reference to monitoring activities, the EDPB first reminds us that not only data subjects must be in the EU but, as a cumulative criterion, the monitored behavior must take place within the territory of the EU.

It then offers a fairly comprehensive list of examples of monitoring activities, including:

  • Behavioral advertisement;
  • Geo-localization activities, in particular for marketing purposes;
  • Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
  • Personalized diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioral studies based on individual profiles;
  • Monitoring or regular reporting on an individual’s health status.

EDPB EXAMPLES SUMMARIZED

Based on the above, here’s a summary of some interesting examples (with some not-so-obvious outcomes):

WITHIN THE TERRITORIAL SCOPE OF GDPR OUTSIDE THE TERRITORIAL SCOPE OF GDPR
Case Why? Case Why?
An e-commerce website is operated by a company based in China. The personal data processing activities of the company are exclusively carried out in China. The Chinese company has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets. The processing is indeed inextricably linked to the activities of the European office in Berlin relating to commercial prospection and marketing campaign towards EU market. A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU. Absence of any representation or stable arrangement of the hotel and resort chain within the territory of the Union.
A French company has developed a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France. Processing of personal data is carried out in the context of the activities of an establishment of a data controller in the Union. An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing. An Australian subscriber of the service travels to Germany on holiday and continues using the service. The service is not targeting individuals in the Union, but targets only individuals in Australia.
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up, via its city mapping application, is specifically targeting individuals in the Union. A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in. While the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service.

Therapeutic cannabis in Italy: business opportunities

Italy’s only authorized medical cannabis facility is currently controlled by the military. However, the production site, located in the Florence area, cannot keep up with the increasing demand, creating shortages for patients and barriers to its prescription by physicians (whose patients are unlikely to be able to obtain the quantities needed).

As Colonel Modica of the Italian Military recognizedThe health ministry and the defense ministry are trying to fix the shortfall because there’s been a huge increase in cannabis prescriptions and the number of patients who need them”.

Meanwhile, pressed by the patients’ associations, the Italian Health Care Ministry Giulia Grillo announced not only the increase of import of therapeutic cannabis products from the Netherlands (to cover the short-term shortages), but also the start of a longer-term project, eventually leading to the creation of a public-private partnership for the production of cannabis. “An invitation to present expressions of interest will be published in order to increase the production of therapeutic cannabis“, Ministry said. Although underlining that an appropriate time frame will be needed in order to implement the project, the Ministry confirmed that the cannabis production activity is “of great interest for both the Defense and the Public Health Care” and crucial in order to satisfy the increasing needs of both domestic and foreign markets.

The increase in the domestic production of therapeutic cannabis, along with the overall demand for it, appears to be inevitable.

On the other hand, the boom of “light cannabis” products in Italy (i.e., containing THC in a percentage lower than 0.2 and, therefore, expressly declared legal in Italy starting from January 2017) seems to have encountered some obstacles lately.

The Advisory Board of the Italian Health Care Ministry (Consiglio Superiore di Sanità) issued a report last spring, recommending the adoption of measures aimed at prohibiting the sale of light cannabis products.

In addition to that, an internal note of the Ministry of Home Affairs, recently made public, promoted a zero-tolerance approach and a strict application of the relevant laws and regulations. Such steps have caused great uncertainty and concerns amongst those who have invested in what came to the media’s attention in 2017 as a State-backed business.

Hence, the latest developments relating to therapeutic cannabis in Italy indicate that new business opportunities for both exporters and producers of cannabis-based prescriptions are likely to be offered in the Italian market. Conversely, serious questions can be raised in connection to the light-cannabis boom, in view of the inconsistent approach recently taken by Italian authorities.

Vaccines: the Italian Constitutional Court rules in favor of mandatory vaccination imposed by national law

The polarized debate over vaccines sees the Italian Constitutional Court taking an important step into the discussion, shortly before the last notable rebellion against compulsory vaccination in Italy. Only a few days ago, in fact, the Mayor of Rome, Ms. Raggi (together with the members her Council, unanimously), approved a motion contradicting the mandatory nature of the 10 (originally 12) vaccinations, made compulsory for school-age children by a recently enacted Italian law. Nevertheless, the “rebels” in Rome probably did not take into the appropriate account the decision of the Italian Constitutional Court, which ruled in favor of the vaccines imposition under Italian law.

The Court – in deciding a constitutional challenge brought by the Veneto Region against the imposition of vaccination by the State – explains its views in a straightforward way.

First of all, the Court makes it very clear that, when it comes to vaccines, fundamental health care rights are involved and, to such regard, no difference is constitutionally acceptable between different areas of the Italian territory. In other words, when a healthcare measure is imposed by a national law in the public interest, Regions and local authorities do not have a say about it.

Furthermore, and most importantly, the Court clarifies that – also taking into account the worrisome drop in vaccination rates in recent years – the choice of tightening up legislation to compel vaccinations is not unreasonable.

True, persuasive techniques – such as the ones that Veneto Region would like to implement – can, ideally, represent a better option, but only when the herd immunity result is somehow guaranteed. Conversely, when vaccination rates drop, obligations and sanctions by law – as the California example showed – are not only reasonable (and constitutional), but much more effective.

Well, when the going gets tough, the law gets going. And that’s reasonable, Italian Constitutional Court says.

Medical Malpractice in Italy: New Promises for Old Issues

On February 28, 2017, the Italian Parliament approved a long-awaited act, aimed at providing new tools to improve the quality of health care services and to fight the downsides of the so-called defensive medicine.

The act has been proposed and announced as a historical step for Italian health care legislation by Federico Gelli, head of the health care committee of the Italian Democratic Party.

The bill, in its 18 articles, offers a new comprehensive regulation of major aspects of medical malpractice and related issues, such as litigation management and insurance.

  • Article 2 and 3 introduce new administrative authorities: the health protection authority and the national observatory on health care good practices;
  • Article 5 formalizes and regulates the publication of guidelines and good practices for better visibility and increased certainty;
  • Articles 6 and 7 (re-)define the nature and limits of criminal, contractual and tortious liability of health care professionals and hospitals;
  • Article 8 introduces compulsory ADR mechanisms to reduce (discourage?) court litigation;
  • Article 10 establishes insurance obligations for public and private hospitals and health care professionals;
  • Article 12 allows direct compensation from insurance companies to victims of medical malpractice;
  • Article 14 creates a guarantee fund for medical malpractice victims.

Everything looks very promising, at first, but medical malpractice is a too delicate and too complicated subject to think that a simple act could really solve all the outstanding issues.

For example, Italian lawyers and health care professionals certainly remember the goofy attempt to limit health care professionals’ liability by the Italian legislator in 2012 that was not upheld by Italian courts’ decisions, thus nullifying the legislator’s intentions.

From another angle, compulsory ADR mechanisms and insurance obligations always carry the risk to become an obstacle to the effectiveness of the rights of individuals, if not a gift to insurance companies.

Lastly, it is worth noting that the ambitious goals set forth by the Italian legislator would have to be achieved without any additional public investment, as article 18 of the act expressly prohibits such spending. Indeed, it is hard to predict whether a true improvement of health care safety is achievable – automatically and free of costs – just because of a new bill.

In order to have a better understanding of the true potential of the new legislation, stay tuned for more reflections, which will appear on this blog.

2017 New Year’s Privacy Resolution: Road to Compliance with the New European Privacy Framework

Year 2017 already brought to us some exciting change. The beginning of the year is also the perfect time for appraisals of the past and resolutions for the near future. Whether we see it as a welcome enhancement of personal data rights or simply as another burdensome European set of requirements, 2016 delivered the new European General Data Protection Regulation (Regulation EU 2016/679, “GDPR”). Already 233 days passed since GDPR entered into force and 498 days are left until the new Regulation will start to apply on May 25, 2018. Roughly, one third of the time given to comply with the new regulatory framework has already gone by. Then, perhaps, the beginning of 2017 can be a good chance to ask ourselves what has already been done in the first 233 days and what still needs to be done in the future 498 days in order not to miss May 2018’s deadline.

The GDPR imposes a much more burdensome level of compliance requirements to companies acting as data controllers and data processors.

Some of them require the assessment and preparation of organizational and implementing measures that need to be put in place well in advance of May 2018.

  • Data controllers and data processors must appoint a data protection officer (“DPO”). The controller and the processor shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor shall support the DPO in performing his/her tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his/her expert knowledge. The controller and processor shall also ensure that the DPO does not receive any instructions regarding the exercise of those tasks. Furthermore, the DPO shall not be dismissed or penalized by the controller or the processor for performing his tasks and shall directly report to the highest management level of the controller or the processor.
  • Data protection by design and by default will have to be implemented. The data controller: (i) both at the time of the determination of the means for processing and at the time of the processing itself, must “implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR] and protect the rights of data subjects” and (ii) “to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
  • A data protection impact assessment must be carried out. Such impact assessment must contain: a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.
  • Data controllers must guarantee the effectiveness of the data subject’s right to be forgotten and right to portability. This requires an assessment of the adequacy of the technical and organizational instruments currently available and, possibly, their improvement. More specifically, data controllers must be able to fulfill: (i) in relation to the right to be forgotten, their obligation to “take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”; (ii) as regards to the right to portability, their obligation to allow the data subjects to effectively exercise their right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller”.
  • Data controllers shall notify personal data breaches to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. This imposes on controllers the preparation of appropriate notification forms, as well as organizational measures to guarantee adequate resources to complete such task.
  • The mandatory content of the written contract between the data controller and the data processor requires a revision of all such contracts. They shall include, inter alia, the obligations of the processor to: process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization; ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; delete or return all the personal data to the controller after the end of the provision of services relating to processing, including copies; make available to the controller all information necessary to demonstrate compliance with the obligations under GDPR; allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
  • Information notice forms currently in use will need to be revised. In fact, information to be provided to data subjects must include, inter alia: the contact details of the DPO; the legal basis for the processing; the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission; the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to data portability; the existence of the right to withdraw consent at any time for processing based on consent; the existence of the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including profiling.
  • Data controllers and data processors must keep record of processing activities under their responsibility. Records to be kept by data controllers shall contain all of the following information: the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organizational security measures. Records to be kept by data processors shall include: the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the DPO; the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, a general description of the technical and organizational security measures. Data controllers and data processors shall therefore dedicate and organize resources to be able to start keeping such records.

All this may appear daunting. Nevertheless, 498 days are more than enough to take all necessary steps, if we let one of our New Year’s resolutions be to timely walk the road to compliance with the GDPR.