Italian Data Privacy Authority

On April 28, 2017, the Italian Data Privacy Authority published a Guide on the application of the new General Data Protection Regulation (GDPR). The Guide does not set out implementing rules of the GDPR but rather provides a summary of “what will remain the same” and “what will change” in the main six areas covered by the GDPR:

  1. Legal basis for the processing
  2. Information to be provided to data subjects
  3. Data subjects’ rights
  4. Data controller,  data processor and persons in charge of the processing
  5. Data privacy risk assessment and accountability
  6. International transfer of data

In addition, for each of the above six macro areas, the Guide provides recommendations on the measures that companies and public entities can already put in place, in order to ensure compliance with specific provisions of the GDPR, which do not need further intervention at a national level for their implementation.

The Guide will be amended, updated or supplemented in light of the development of the debate at a national and European level on the application of the GDPR. The data protection authorities of France and the Netherlands published similar guides respectively on March 15 and April 13, 2017, which are however structured in a slightly different way, as they propose (especially the French one) a more systematic “step by step” methodology in order to help organizations get ready for the GDPR.

Elisabetta Pagone contributed to this blog post.

On April 28, 2015, the Italian Data Privacy Authority (the Authority) launched a public consultation on the Internet of Things aimed at collecting contributions from stakeholders and assessing its potential impact on consumers’ privacy. This public consultation in Italy follows the opinion of the EU Article 29 Working Party of September 2014 and a more recent report of the U.S. Federal Trade Commission of January 2015, which had identified a number of issues and challenges in relation to the Internet of Things. Interested parties can submit their comments to the Authority by e-mail within 180 days of the publication in the Official Journal of the decision to launch the consultation (expected in the next few days).

This is an outstanding opportunity for stakeholders to provide their contribution on issues such as users’ profiling, data anonymization, the applicability of the data protection by design principles and the use of certification and authentication tools, in order to identify a set of best practices to ensure that compliance with data privacy rules does not constitute a limit to the development of Internet of Things technologies. The consultation might hopefully result in the adoption of specific guidance by the Authority on the application of data privacy rules to businesses active in the Internet of Things market, which currently face significant compliance issues.