Tag Archives: GDPR

Web Cookies’ Processing: New Guidelines by the Italian DPA

On June 10, 2021 the Italian DPA has officially issued new guidelines for the processing of cookies and other online tracking instruments. Such newly-issued guidelines are aimed at compliance with principles set forth by the GDPR, as well as by the recently issued contributions of the European Data Protection Board. The new guidelines complement and update the previous ones issued in 2014.

New provisions mainly regard how consent is acquired and information to be provided to interested subject. In fact:

  • consent by the user must be given in accordance with principles of freedom and unambiguousness. Accordingly, the use of methods that do not comply with such principles, such as the “scrolling-down” and the “cookie-wall”, are unlawful and void;
  • the “cookie banner” must comply with the “privacy by design” and “privacy by default” principles, as resulting from article 25 of the GDPR. Consequently, simplified manners for the obtainment of the consent are allowed only to the extent that they comply with some pre-determined requirements;
  • “analytic cookies” can be processed without any consent by users only if they do not allow any identification (direct identification of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized;
  • information to be provided to the users must be specific and comply with articles 12 and 13 of the GDPR.

Data controllers now have a 6-months term (expiring on December 2021) for the adoption of the measures necessary to comply with such giudelines.

The full text of the measure can be found at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876.

New Data Transfer Standard Contractual Clauses Approved by the EU Commission

On June 4, 2021 the EU Commission approved new standard contractual clauses (“SCC“), which are regarded to provide appropriate safeguards within the meaning of Article 46(1) and (2) (c) of the GDPR.

The new SCC are updated with GDPR, the opinions expressed during the course of the consultation phase (including those of the European Data Protection Board and the European Data Protection Supervisor), as well as take into account the recent Schrems II judgement of the Court of Justice.

There are two different sets of SCC: (i) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) and (ii) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

The new SCC promisemore flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses“.

If you or your company are using the old SCC, you have a transition period of 18 months.

Data Protection Day 2021: What You May Have Missed (while busy celebrating Data Protection Day)

This year’s celebrations for Data Protection Day may have been a bit toned down. But you still may have been so busy celebrating that you may have missed a couple of news from the (data privacy) world.

First, the EDPB’s Guidelines 01/2021 on Examples regarding Data Breach Notification are out and open for comments until March 2nd.  The document can be used as a very practical guide for whoever is involved in data processing activities. It is aimed at helping data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The Guidelines reflect the experiences of the European supervisory authorities since the GDPR became applicable and they are full of cases and examples which make them, admittedly, a practice-oriented, case-based guide for controllers and processors. So, are you curious to know what to do in case of a ransomware attack with backup but without exfiltration in a hospital? Or perhaps in case of a credential stuffing attack on a banking website? Or you’re “just” trying to figure out what to do in case of mistakes in post and mail?  Then, check out the guidelines!

Meanwhile, in Italy, the Italian Data Protection Authority gave its favourable opinion to the proposed reform of the Italian Registro Pubblico delle Opposizioni, a service designed for the protection of data-subjects, whose telephone number is publicly available but who wish not to receive unsolicited direct marketing calls from an operator. Nevertheless, the Italian Data Protection Authority specified that such service, essentially based on a list of express dissents, only applies to marketing activities carried out by human operators and cannot be extended to automated calls. The Italian Data Protection Authority, by doing so, confirms that marketing activities carried out through automated systems must be subject to stricter measures and always require express consent, given their highly invasive nature. So: Humans 1, Automated Calling Machines: 0.

COVID-19 Infects Smart Working and Data Protection Rules

The unfortunate spread of COVID-19 throughout Italy led to some interesting legislative measures.

Smart Working

Thanks to a Decree of the Prime Minister adopted on March 1, 2020, the employers could employ their workers by remote working, even without the individual agreements in writing mandated by Law no. 81/2017. 

  • Remote or “smart” working is not mandatory. It is up to the employer, given its responsibility for the organization of the working activity, to decide whether or not to adopt remote working both for employees who work in areas at risk and for employees who live in such areas but work outside.
  • Secondly, for the next six months the principle of consent, on which remote working is based, will be waived: the employer will be able to arrange such method of working “even in the absence of individual agreements”. In case of refusal by the employee, disciplinary sanctions may be applied. On the contrary, the employee may not use smart working without a specific indication by the employer.
  • With regards to formal requirements, no precise written provision is needed. An e-mail or a verbal arrangement may be sufficient.

During this time, smart working will be considered as a measure of health and safety at work and the employers should provide for the relevant IT instruments to allow the employee to arrange remote working.

Moreover, last February, before the outbreak of COVID-19 crisis, Regione Lombardia already launched a campaign to make public funds available for employers that never implemented plans of smart working. The employers can send the application starting from April 2, 2020, until December 15, 2021, up to availability of the subsidies. We could assist the employers to define the relevant plan.

Data Protection

Ordinance no. 630, adopted on February 3, 2020, as an emergency measure to contrast corona virus has been approved by the Italian Data Protection Authority. Surprisingly, it in fact lowers the protection of individuals in light of the public interest.

More specifically, the Italian Data Protection Authority pointed out that, pursuant to Section 9 of GDPR, certain personal data may be legitimately processed for reasons of public interest in public healthcare – particularly in case of serious cross-border threats against healthcare – while ensuring appropriate measures to protect the rights of the concerned individuals, with a specific focus on professional secrecy.

In light of the above and considering the ongoing COVID-19 crisis, the measures taken allow personal mobile communication data and geolocation to be analysed in order to trace connections and contacts amongst individuals. However, such decision does not set forth specific countermeasures in order to protect the rights of the concerned individuals.

Italian Data Protection Authority Plans to Inspect Life Sciences Companies in 2020

The Italian Data Protection Authority has recently issued its inspection plan for the first half of 2020. The Authority plans about 80 inspections through the fiscal police. 

Inter alia, the Authority plans to inspect health data processing carried out by multinational companies operating in the pharma and health sector. In case that’s what you do, make sure your GDPR documents are in order.

Other industries will also be impacted, such as whistleblowing software, marketing, online banking, food delivery and call center services.

In 2019 the Italian Data Protection Authority has issued sanctions amounting to Euro 15,910,390.

Five Key Takeaways from Our Seminar on Clinical Trials

If you missed our seminar on clinical trials on January 16, here are five key takeaways to help you understand the changing regulatory environment in Europe and Italy.

  1. Be ready for a new regulatory landscape

The recent clinical trials regulatory overhaul within the EU aims at fostering research and facilitating the tasks of all actors involved in this area. However, delays in the implementation of such new legislation are posing an actual risk for the entire sector throughout the EU, while competition from emerging economies is getting stronger.

  1. Harmonized, but not enough

In several areas, such as observational studies or ethical committee’s assessments, a unified approach at European level is yet to be adopted. This leaves a lot of fragmentation among the various countries and a lot of work to be done at local level in order to ensure compliance with applicable regulations. Be prepared to deal with such inconveniences, in particular in the pharmaceutical sector.

  1. Changes in data protection laws offer new opportunities but challenges remain

GDPR brought new harmonized provisions to improve and support the use of data for the purpose of conducting research. However, guidance from national data protection and regulatory authorities in areas such as legal grounds for processing and secondary use is far from established. Moreover, different EU countries continue to adopt opposite approaches when it comes to consent and legitimate interest as valid legal grounds for data processing in the framework of clinical research. Data protection compliance will therefore continue to require local check-ups.

  1. New opportunities for independent research

Recent regulatory changes in Italy are being implemented to foster independent not-for-profit research in the clinical area. The new regulations, which are about to be adopted, envisage new opportunities for the participation of private actors in independent research and allow not-for-profit research institutions to better exploit the results of their research. The potential for conflicts remain and caution should be exercised within public-private relationships, but there is hope that new paradigms of collaboration will see the light.

  1. A new world of evidence is out there

More and more projects in the clinical research field involve real world data and real world evidence, gathered in a number of different ways outside the rigid protocols of a controlled study, whether through medical devices or other data collection instruments. Real world data are key to understanding how treatments work in reality and developing new healthcare paths. However, both clinicians and private actors are operating in uncharted territories and the line between studies and alternative research projects is thinner than you may expect. Be mindful of the regulatory and compliance ramifications of these new powerful tools.

Italy’s First Multi-Million GDPR Sanctions

Before last week, the Italian Data Protection Authority (“DPA”) only applied one (modest) GDPR sanction, which placed Italy at the bottom of the lists of EU Countries per number and value of GDPR sanctions applied.

In addition to the great differences in numbers and figures – for example, of soon-to-leave UK (sanctions’ amounts in Euro: Italy 30k vs. UK 315mln+) or Spain (number of sanctions: Italy 1 vs. Spain 43) – it is interesting noting that, until last Friday, the most active European DPAs (UK, France, Germany, Spain) tended to target big players in the private sector (i.e. British Airways, Marriot International, Google), as opposed to Italy’s attention to websites affiliated to a political party and run through the platform named Rousseau.

Last Friday, however, a significant change in such scenario occurred. The Italian DPA issued a press release announcing two GDPR sanctions applied to Eni Gas e Luce, a fully-owned subsidiary of Italy’s State-controlled multinational oil and gas company, Eni S.p.A., for Euro 8.5 and 3 million.

The first sanction of Euro 8.5 million has been imposed for unlawful processing in connection with telemarketing and tele-selling activities. The inspections and inquiries had been carried out by the authorities as a response to several alerts and complaints that followed GDPR D-Day.

Violations included: advertising calls made without consent or despite data subjects’ refusal, absence of technical and organisational measures to take into account the instructions provided by data subjects, excessive data retention periods, obtainment of personal data of possible future customers from third parties which did not obtain consent.

The second sanction of Euro 3 million relates to unsolicited contracts for the supply of electricity and gas. Many individuals complained that they have learned about their new contracts only upon receipt of the termination letter from the previous supplier or of the first electricity bill from Eni Gas e Luce. Complaints included alleged incorrect data and false signatures.

About 7200 consumers have been affected. The Italian DPA also underlined the role of third-party contractors, acting on behalf of Eni Gas e Luce, in perpetrating the violations.

Both decisions are quite significant as, for the very first time, the Italian DPA provides its indications and illustrates its approach in dealing with data processing and violations by large-sized companies operating in the private sector, within the GDPR regulatory framework.

Don’t Forget to Close E-mail Accounts of Employees who Leave. And Happy Holidays!

The Italian Data Protection Authority has recently reiterated what to do when an employee leaves the company, i.e.:

  • Close down email accounts attributable to the former employee;
  • Adopt automatic response systems indicating alternative addresses to those who contact the mailbox; and
  • Introduce technical measures to prevent the display of incoming messages to unauthorized subjects.

The automatic forwarding of emails to colleagues of the former employee amounts to a breach of principles of data protection, which impose on the employer the protection of confidentiality even of the former worker.

In the case decided by the Authority the e-mail account had remained active for over a year and a half after the end of the employment relationship and before its elimination, which took place only after a formal complaint filed by the worker.

Our life sciences team at Gitti and Partners wishes you a relaxing Christmas break and a 2020 full of happy innovation, useful technology and interesting legal developments!

The European Data Protection Board’s Revised Guidelines on the Territorial Scope of GDPR Are Out (With Some Interesting Examples). Check Them Out!

One of many innovations introduced by GDPR is its territorial scope.

In fact, the two main criteria defining the territorial scope of the GDPR – the establishment criterion (Art. 3.1 of GDPR) and the targeting criterion (Art. 3.2 of GDPR) – have been drafted in such a way to avoid easy way outs when it comes to the protection of individuals and their personal data.

Last November, the European Data Protection Board (“EDPB”) published a revised version of its Guidelines 3/2018 on the territorial scope of the GDPR, which provide some interesting remarks and examples on both the establishment and the targeting criteria. We will concentrate on a selection of a few of them.

THE ESTABLISHMENT CRITERION

EDPB suggests a threefold approach in determining whether or not certain processing of personal data falls within the scope of the GDPR on the basis of the establishment criterion.

1) Is there an establishment in the EU?

This is, of course, an answer that must be given having regard to the effective and real exercise of activities through stable arrangements, rather than to other formal circumstances, such as the legal form of a certain entity.

It is worth noting that, on the issue, the EDPB made sure to remind – by making reference to the Weltimmo case – that the threshold to be applied in determining whether or not an arrangement can be deemed as stable can be quite low, for example, when it comes to the provision of online services. Even a single employee may be sufficient to constituting a stable arrangement, if that employee acts with a sufficient degree of stability.

2) Is processing carried out in the context of the activities of the establishment?

The EDPB points out two factors that must be taken into consideration: (i) the relationship between a controller or processor outside the EU and its local establishment in the Union; and (ii) revenue raising in the EU.

3) There is no need that the processing takes place in the EU!

The place of processing is irrelevant, if processing takes place in the context of the activities of the establishment. So is the geographical location of the data subjects in question.

In addition to the threefold approach, the EDPB offers some hints on how the application of the establishment criterion me be affected by the relationship between the controller and the processor. To such regard, the first thing to note is that the relationship between a controller and a processor does not per se trigger the application of GDPR to both. Furthermore, it is more likely that the establishment within the EU of the controller will lead to the application of GDPR to the processor located abroad than vice versa. In fact, on one hand, when a controller subject to GDPR chooses a processor located outside the EU, the processor located outside the EU will become indirectly subject to the obligations imposed by GDPR by virtue of contractual arrangements under Art. 28 of GDPR. On the other hand, unless other factors are at play, the processor’s EU establishment will not per se trigger the application of GDPR to the non-EU controller, because by instructing the EU processor the non-EU controller is not carrying out any processing in the context of the activities of the processor in the EU.

THE TARGETING CRITERION

The first thing to which EDPB draws our attention to is a simple, yet important, fact. Whenever the targeting criterion leads to the application of GDPR to controllers or processors which are not EU-established, such controllers or processor will not benefit from the one-stop shop mechanism, allowing them to interact with only one Lead Supervisory Authority. That is an important factor to be taken into consideration when assessing the opportunity to establish an entity within the EU to offer services or monitor data subjects.

Having said that, the EDPB recommends a twofold approach for the targeting criterion.

1) Are data subjects “in the Union”?

Under the targeting criterion, GDPR will be applied to controllers or processors not established in the EU insofar as processing is related to the offering of goods and services to / monitoring of data subjects in the EU.

With regard to the presence of the data subject in the EU, no reference is made to any formal legal status of the data subject (e.g. residence or citizenship): it is sufficient that data subject are physically located in the EU at the moment of offering  goods or services or at the moment when their behaviors are being monitored.

Nevertheless, that will not be sufficient to extend the application of GDPR to such activities that are only inadvertently or incidentally targeting individuals in the EU. Hence, whenever processing relates to a service offered only outside the EU – which is not withdrawn by individuals entering the EU – the relevant processing will not be subject to GDPR.

2) Offering of goods or service / monitoring of data subjects’ behavior, yes or no?

The first activity triggering the application of the targeting criterion is the offering of goods or services. It is interesting to note, to such regard, how the EDPB recalls the CJEU case law on Council Regulation 44/2001 on jurisdiction. Although underlining some differences, the notion of “directing an activity” can be applied to assess the presence of a goods or services offer by non-EU controllers/processor.

The factors that the EDPB lists, considering them a good indication, especially in combination with one another, of an offer in the UE of goods and services, are taken from the Pammer case and they include:

  • The EU or at least one Member State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The international nature of the activity at issue, such as certain tourist activities;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
  • The description of travel instructions from one or more other EU Member States to the place where the service is provided;
  • The mention of international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
  • The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
  • The data controller offers the delivery of goods in EU Member States.

With reference to monitoring activities, the EDPB first reminds us that not only data subjects must be in the EU but, as a cumulative criterion, the monitored behavior must take place within the territory of the EU.

It then offers a fairly comprehensive list of examples of monitoring activities, including:

  • Behavioral advertisement;
  • Geo-localization activities, in particular for marketing purposes;
  • Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
  • Personalized diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioral studies based on individual profiles;
  • Monitoring or regular reporting on an individual’s health status.

EDPB EXAMPLES SUMMARIZED

Based on the above, here’s a summary of some interesting examples (with some not-so-obvious outcomes):

WITHIN THE TERRITORIAL SCOPE OF GDPR OUTSIDE THE TERRITORIAL SCOPE OF GDPR
Case Why? Case Why?
An e-commerce website is operated by a company based in China. The personal data processing activities of the company are exclusively carried out in China. The Chinese company has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets. The processing is indeed inextricably linked to the activities of the European office in Berlin relating to commercial prospection and marketing campaign towards EU market. A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU. Absence of any representation or stable arrangement of the hotel and resort chain within the territory of the Union.
A French company has developed a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France. Processing of personal data is carried out in the context of the activities of an establishment of a data controller in the Union. An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing. An Australian subscriber of the service travels to Germany on holiday and continues using the service. The service is not targeting individuals in the Union, but targets only individuals in Australia.
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up, via its city mapping application, is specifically targeting individuals in the Union. A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in. While the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service.

Is Your Cookie Policy Right?

In a recent decision by the Court of Justice of the European Union in case C-673/17 against Planet49 GmbH, the issue of consent was analyzed on the basis of the ePrivacy Directive and the GDPR.

The case regarded a preliminary question by the German Federal Court of Justice on the validity of consent given through a pre-ticked checkbox, which the user must deselect to refuse his or her consent.

The Court analyzed the features of consent under the ePrivacy Directive (“freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” by reference to the Data Protection Directive) and in the GDPR (“any freely given, specific, informed and unambiguous indication of the data subject’s wishes”).

The Court concluded that the user is required to “give” consent and to provide an “indication”, which “points to active, rather than passive, behavior.” Therefore, an opt-out consent is not validly given.

You may want to check if your website has a passive mechanism to accept cookies (including a mechanism whereby “continuing to browse the website means acceptance of these cookies”): under the Court’s decision described above, it is possible that such a passive consent would be regarded invalid.

This conclusion would appear to contradict the previous guideline by the Italian Data Protection Authority providing that “if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.”

Further, the Court set forth that “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.