Tag Archives: GDPR

Italian Transparency Act: the Opinion of the Italian Data Protection Authority

Legal news, , , , , , , , , ,

The Italian Data Protection Authority has issued its opinion on the data protection implications relating to the new information duties set forth on employers by legislative decree 104/2022.

On August 13, 2022, legislative decree 104/2022 (“Transparency Act”) has entered into force. It provides for a new set of mandatory information that the employer must communicate to its employees at the time of their onboarding. On January 24, 2023, the Italian Data Protection Authority (“Garante”) issued its opinion about compliance of such new information duties with the provisions of the relevant data protection legislation.

In particular, the focus of the Garante was centered on the mandatory communication that, according to section 4, paragraph 8 of the Transparency Act, the employer must give to the employees if any “decision or monitoring automated system is used for the sake of providing information which is relevant for the hiring, management or termination of the employment relationship, for the assignment of tasks and duties, or for the surveillance, evaluation and fulfillment of contractual duties by the employee”. The Garante has stated that:

  • GDPR Sanctions Apply in case of Breach.  The implementation of any decision or monitoring automated system must be made in compliance and within the limits set forth by the applicable labor law provisions, and in particular law 300/1970. Such labor law provisions, which allow the implementation of automated systems only if certain conditions occur, must be deemed as providing “more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context” (as per section 88, paragraph 2, of the GDPR), and thus non-compliance with them may lead to administrative fines pursuant to section 83 of the GDPR.
  • Data Processing Impact Analysis (“DPIA”).  The employer, who is subject to the duty of accountability, must assess beforehand if the relevant processing is likely to result “in a high risk to the rights and freedoms of natural persons responsibility”, and thus requires a preliminary data processing impact analysis under section 35 of the GDPR. In such regard, the Garante has clarified that data subjects (i.e., employees) should be deemed as “vulnerable”, and that the processing of their data with automated systems is very likely to meet the conditions that make the DPIA mandatory according to the guidelines on the DPIA issued by the WP 29 on April 4, 2017.
  • Compliance with the “privacy by default” and “privacy by design” principles.  Employers must implement appropriate technical and organizational measures and integrate the necessary safeguards into the processing so that to protect the rights of data subjects (privacy by design). Moreover, the controller shall ensure that, by default, only personal data which are necessary for the specific purpose of the processing are processed (privacy by default), and should then refrain from collecting personal data that are not strictly related to the specific purpose of the relevant processing.
  • Update of the register of processing activities (“ROPA”).  The employer must indicate the processing of data through automated systems within his/her ROPA.

Need any further assistance on the matter? Don’ hesitate to reach us out!

EU Policies for the Digital Age

Legal news, , , , , , , , ,

Confused about the Digital Service Act, the Digital Markets Act, the Data Governance Act and the Data Act? My recent article tries to make sense of all of them:

https://www.mondaq.com/italy/data-protection/1195638/an-overview-of-the-european-union-laws-and-policies-for-the-digital-age

The article also explains that the European Union has a strong vision on principles and policies for the digital age and aspires to a worldwide leadership role in the governance of digital phenomena.

The European Health Data Space

Legal news, , ,

On May 3, 2022 a Proposal for a Regulation on the European Health Data Space has been published. The proposed European Health Data Space draws from the premise that access and sharing of health data within and across Member States is difficult due to the complexity and divergence of rues, structures and processes. The European Health Data Space aims at harnessing the power of health data for people, patients and innovation by pushing towards health data science that will transform public health and foster innovation, while empowering individuals to take control of their health data. This proposed legislation is also a product of the Covid-19 pandemic, where the role of up-to-date, reliable and FAIR health data (i.e., data that is based on principles of Findability, Accessibility, Interoperability and Reusability) have been key in responding to the crisis and developing cures and vaccines. The ultimate goal is to build a European Health Union[1] that would strengthen resiliency of health systems and deliver to each Union citizen.

The European Health Data Space Communication supports both primary and secondary use of health data. With regard to primary health data, patients will have their health data available through access points established by Member States, but connected through a cross-border digital infrastructure, will be able to control and share their health data and mandatory requirements on interoperability, security, safety and privacy will apply. Electronic health record systems are subject to mandatory self-certification schemes, which must comply with essential requirements related to interoperability and security. The European Health Data Space promises to “make continuity of care across EU a reality[2].

Secondary use of data (i.e., health data used for research, innovation and public health) will also be supported by a European framework. Permit to use the data will obtained by health data access bodies, designated by Member States, which will establish how the data will be used and for which purposes (charges may apply), but always requiring closed secure environments, anonymous or pseudonymised data and transparency in their use. The platform HealthData@EU will facilitate cross border studies.

Governance of the European Health Data Space will be up to a new body, named European Health Data Space Board, chaired by the Commission. The Communication does not forget that investments in digitalization are costly and has made available 810 million euros to support the European Health Data Space.

Benefits of the European Health Data Space are expected for citizens, health professionals, researchers, regulators and policy-makers and for the industry.

[1] Bucher, A. (2022) ‘Does Europe need a Health Union?’ Policy Contribution 02/2022, Bruegel

[2] See page 12 of https://ec.europa.eu/health/publications/communication-commission-european-health-data-space-harnessing-power-health-data-people-patients-and_en

Whistleblowing Directive: What You Need To Know

Legal news, , , , ,

Whistleblowing, or reporting of breaches of the law, is often regulated in a fragmented and non-comprehensive fashion. This is about to change thanks to Directive 2019/1937 of October 23, 2019 “on the protection of persons who report breaches of Union law” (the “Directive”), aimed at harmonizing and broadening the protection of whistleblowers and of reported entities.

In Italy whistleblowing is currently governed by Legislative Decree no. 165/2001 (for public employees) and by Legislative Decree no. 231/2001 (for private employees). With regard to the private sector, whistleblowing provisions are only applicable to companies who have adopted a “231 Organizational Model”.

The Directive should have been implemented by December 17, 2021. The Italian government has been delegated by the Parliament to adopt the necessary implementing measures but, as many other EU countries, the legislative process has already exceeded the December 17 deadline.

While the details of the national law that will implement the Directive are still unknown, certain basic principles can already be envisaged:

  • In principle, the Directive applies to public entities and to private entities with at least 50 employees or with an annual turnover of more than Euro 10 million, with two caveats: (i) the Directive is applicable, regardless of the number of employees, if your company operates within the scope of EU legislation preventing money laundering and terrorist financing (e.g., financial services); and (ii) Member States may decide to apply new whistleblowing provisions also to companies below the 50-employees threshold;
  • The Directive broadens the concept of reporting person: among others, also self-employed workers, shareholders, members of the key company’s bodies, (sub)contractors and suppliers will be covered by the protection afforded by whistleblowing legislation (such as the protection of their identity), even if their work relationship has ended or has yet to begin;
  • The Directive also broadens the subject matter of the report: to be covered by the Directive, reports have to relate to breaches of EU law in specific sectors. However, the Directive provides for the possibility to broaden the subject matter as to include violation of domestic legislation;
  • The Directive provides for three reporting channels:
    • Internal channel: if you have adopted a 231 Model, you are surely already equipped with an internal whistleblowing channel, which however will require to be upgraded as to cover the new definition of reporting person and the strict reporting and follow-up requirements established by the Directive;
    • External channel, which will be set up by the government and will likely allow to blow the whistle to public authorities, such as the Italian Anticorruption Authority. (If you have an IT provider which helps you run a whistleblowing channel, that’s an internal one);
    • Public disclosure: reporting persons may “go public” only if other channels have not been successful.
  • In relationto groups of companies, the European Commission has clarified the matter with two opinions, dated June 2, 2021 and June 29, 2021: each legal entity with 50 or more workers is required to set up its own channels and procedures for internal reporting. Entities with 50 to 249 employees, may “share resources” with their parent companies (but also with non-linked companies) and may also, but not exclusively, rely on their channels;
  • Data collection and processing activities under whistleblowing provisions must be carried out in compliance with the GDPR: as an example, personal data which are manifestly not useful for the purposes of a specific report must not be collected or, if collected accidentally, deleted.

While we wait for the Italian law implementing the Directive, the above basics already give you an idea of what is to come.

Check Your Website’s Compliance with New Rules on Cookies

Legal news, , , , , , , , ,

The Italian Data Protection Authority’s new guidelines for the processing of cookies are in force. Does your website comply? Find out if the answer is yes (or if you need adjustments) through the Q&A below.

On January 9, 2022, the new guidelines for processing of cookies and other online tracking instruments issued by the Italian DPA have officially entered into force. Take this test to check if you are already compliant.

Q: What kind of cookies are you currently using on your website?

A: The Italian DPA has divided the cookies currently in use in 3 categories:

  • Technical cookies: these cookies are the ones strictly necessary to a service provider for the dispensing of a service requested by users.
  • Profiling cookies: these cookies are the ones used to create clusters of users, by associating them with specific actions or behavioral patterns. Such cookies are mainly aimed at modulating the delivery of services provided to the user in an increasingly personalized way, as well as to carry out targeted advertising activity.
  • Analytic cookies: these cookies are the ones which are aimed at evaluating the effectiveness of the services offered or to measure user “traffic” on the website, by memorizing users’ online activities within the website. These cookies are mainly provided by third party suppliers.

Q: What should I do in case I use TECHNICAL COOKIES?

A: Technical cookies are not subject to any prior consent by the users. This means that you just need to provide the users with a specific cookie policy information, having the details set forth by article 13 of the GDPR. Such policy may also be contained on a specific section of your general privacy policy information.

Q: What should I do in case I use PROFILING COOKIES?

A: Profiling cookies may be used only upon prior consent by the users. You may obtain users’ consents by implementing a cookie banner that will pop up on your website as soon as users log your online page.

Q: What should I do in case I use ANALYTIC COOKIES?

A: Analytic cookies can be processed without any consent by users only if they do not allow any identification (direct identification – i.e. “singling out” – of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized.

Usually, analytical cookies are provided by third parties. In such case, you must provide, within your cookie policy notice, an updated list of all the third party cookies that are implemented within your website.

Q: How do I collect consent by users, when mandatory?

A: You may set up a cookie bannerthat will pop up on your website when users log your online page.

Q: How to draft a cookie banner?

A: First and foremost, cookie banners must be user-friendly and immediately visible. The dimensions of the banner must be neither too small nor too big, if compared with the kind of device used. Their wording must also be simple and easy to understand. In addition, cookie banners must contain a link to the cookie policy notice. No profiling cookies can be implemented before consent by the user. Only technical cookies may be pre-implemented.

Q: Do I have to grant users the possibility to modify their choices?

A: Yes, a specific section on the website must always be included to the end of consenting users to modify their first decisions.

Q: Can I obtain consent by users in other ways?

A: Consent by the user must be free and unambiguous, but there is no mandatory way to obtain consent by the users: you may implement your own system, in accordance with accountability principles set forth by the GDPR so long as consent is unambiguous and through a positive act of the user (“opt in”). No form of implicit consent is acceptable.

Q: Can I propose the banner again in case the user has declined consent?

A: The excessive and redundant use of banners requesting consent is not allowed – except for certain specific exceptions – since this may bring the user to give consent for the sole purpose of interrupting the pop-up of the banner.

Q: What about “cookie walls” and “scroll down”?

A: Don’t use them! A “cookie wall” is a mechanism by virtue of which the denial of the consent by users prevents them from accessing the website entirely. A “scroll down” system assumes the implied consent of the user when browsing of the website without expressing any choice with regard to cookies consent is continued. Neither cookie walls nor scroll down systems are compliant, since they are not aimed at obtaining an express consent by the user.

All clear? If not, reach out to us!

Web Cookies’ Processing: New Guidelines by the Italian DPA

Legal news, , , , , , , , , , , , , ,

On June 10, 2021 the Italian DPA has officially issued new guidelines for the processing of cookies and other online tracking instruments. Such newly-issued guidelines are aimed at compliance with principles set forth by the GDPR, as well as by the recently issued contributions of the European Data Protection Board. The new guidelines complement and update the previous ones issued in 2014.

New provisions mainly regard how consent is acquired and information to be provided to interested subject. In fact:

  • consent by the user must be given in accordance with principles of freedom and unambiguousness. Accordingly, the use of methods that do not comply with such principles, such as the “scrolling-down” and the “cookie-wall”, are unlawful and void;
  • the “cookie banner” must comply with the “privacy by design” and “privacy by default” principles, as resulting from article 25 of the GDPR. Consequently, simplified manners for the obtainment of the consent are allowed only to the extent that they comply with some pre-determined requirements;
  • “analytic cookies” can be processed without any consent by users only if they do not allow any identification (direct identification of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized;
  • information to be provided to the users must be specific and comply with articles 12 and 13 of the GDPR.

Data controllers now have a 6-months term (expiring on December 2021) for the adoption of the measures necessary to comply with such giudelines.

The full text of the measure can be found at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876.

New Data Transfer Standard Contractual Clauses Approved by the EU Commission

Legal news, , , , ,

On June 4, 2021 the EU Commission approved new standard contractual clauses (“SCC“), which are regarded to provide appropriate safeguards within the meaning of Article 46(1) and (2) (c) of the GDPR.

The new SCC are updated with GDPR, the opinions expressed during the course of the consultation phase (including those of the European Data Protection Board and the European Data Protection Supervisor), as well as take into account the recent Schrems II judgement of the Court of Justice.

There are two different sets of SCC: (i) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) and (ii) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

The new SCC promisemore flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses“.

If you or your company are using the old SCC, you have a transition period of 18 months.

Data Protection Day 2021: What You May Have Missed (while busy celebrating Data Protection Day)

Legal news, , , , ,

This year’s celebrations for Data Protection Day may have been a bit toned down. But you still may have been so busy celebrating that you may have missed a couple of news from the (data privacy) world.

First, the EDPB’s Guidelines 01/2021 on Examples regarding Data Breach Notification are out and open for comments until March 2nd.  The document can be used as a very practical guide for whoever is involved in data processing activities. It is aimed at helping data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The Guidelines reflect the experiences of the European supervisory authorities since the GDPR became applicable and they are full of cases and examples which make them, admittedly, a practice-oriented, case-based guide for controllers and processors. So, are you curious to know what to do in case of a ransomware attack with backup but without exfiltration in a hospital? Or perhaps in case of a credential stuffing attack on a banking website? Or you’re “just” trying to figure out what to do in case of mistakes in post and mail?  Then, check out the guidelines!

Meanwhile, in Italy, the Italian Data Protection Authority gave its favourable opinion to the proposed reform of the Italian Registro Pubblico delle Opposizioni, a service designed for the protection of data-subjects, whose telephone number is publicly available but who wish not to receive unsolicited direct marketing calls from an operator. Nevertheless, the Italian Data Protection Authority specified that such service, essentially based on a list of express dissents, only applies to marketing activities carried out by human operators and cannot be extended to automated calls. The Italian Data Protection Authority, by doing so, confirms that marketing activities carried out through automated systems must be subject to stricter measures and always require express consent, given their highly invasive nature. So: Humans 1, Automated Calling Machines: 0.

COVID-19 Infects Smart Working and Data Protection Rules

Legal news, , , , ,

The unfortunate spread of COVID-19 throughout Italy led to some interesting legislative measures.

Smart Working

Thanks to a Decree of the Prime Minister adopted on March 1, 2020, the employers could employ their workers by remote working, even without the individual agreements in writing mandated by Law no. 81/2017. 

  • Remote or “smart” working is not mandatory. It is up to the employer, given its responsibility for the organization of the working activity, to decide whether or not to adopt remote working both for employees who work in areas at risk and for employees who live in such areas but work outside.
  • Secondly, for the next six months the principle of consent, on which remote working is based, will be waived: the employer will be able to arrange such method of working “even in the absence of individual agreements”. In case of refusal by the employee, disciplinary sanctions may be applied. On the contrary, the employee may not use smart working without a specific indication by the employer.
  • With regards to formal requirements, no precise written provision is needed. An e-mail or a verbal arrangement may be sufficient.

During this time, smart working will be considered as a measure of health and safety at work and the employers should provide for the relevant IT instruments to allow the employee to arrange remote working.

Moreover, last February, before the outbreak of COVID-19 crisis, Regione Lombardia already launched a campaign to make public funds available for employers that never implemented plans of smart working. The employers can send the application starting from April 2, 2020, until December 15, 2021, up to availability of the subsidies. We could assist the employers to define the relevant plan.

Data Protection

Ordinance no. 630, adopted on February 3, 2020, as an emergency measure to contrast corona virus has been approved by the Italian Data Protection Authority. Surprisingly, it in fact lowers the protection of individuals in light of the public interest.

More specifically, the Italian Data Protection Authority pointed out that, pursuant to Section 9 of GDPR, certain personal data may be legitimately processed for reasons of public interest in public healthcare – particularly in case of serious cross-border threats against healthcare – while ensuring appropriate measures to protect the rights of the concerned individuals, with a specific focus on professional secrecy.

In light of the above and considering the ongoing COVID-19 crisis, the measures taken allow personal mobile communication data and geolocation to be analysed in order to trace connections and contacts amongst individuals. However, such decision does not set forth specific countermeasures in order to protect the rights of the concerned individuals.