The Legislative Decree no 101 of August 10, 2018 (“D.lgs. 101/2018”) amended the Legislative Decree No. 196/2003, the so-called “Privacy Code” (“Privacy Code”), in order to adapt it to the provisions of the European Regulation no 2016/679 (“GDPR”) with came in to force on May 25, 2018.
The new provisions of the D.lgs. 101/2018, in force since September 19, 2018, together with the provisions introduced by the GDPR and the implementing measures made by the Privacy Authority (Italy’s personal data protection authority) are the sources of regulations regarding privacy.
(II) Principal innovations introduced by D.lgs. 101/2018
Following the adjustment to the GDPR implemented by the Italian legislator with D.Lgs. 101/2018, the “new” Privacy Code is rather innovated.
The D.lgs. 101/2018, inter alia, regulates:
- the validity of the consent given by the child in relation to the direct offer of information society services, providing that: (i) minors who have turned 14 may validly give their consent; otherwise, (ii) minors under the age of 14 may not give their consent, since the consent of the subject exercising parental authority is necessary (art. 2-quinquies of the Privacy Code);
- the warranty measures for the processing of genetic, biometric and health-related data that may be processed in accordance with the warranty measures laid down by the Privacy Authority (art. 2-septies of the Privacy Code);
- i principi relativi al trattamento degli “ex dati giudiziari” avvenuto al di fuori del controllo dell’autorità pubblica; (art. 2-octies del Codice Privacy);
- the principles relating to the processing of “ex judicial data” that took place outside the control of public authorities (Article 2-octies of the Privacy Code);
- the new category of “designated subjects” which would seem to preserve the entirely italian figure of the persons in charge of the treatment, regulated by the now abrogated art. 30 of the Privacy Code (art. 2-quaterdecies of the Privacy Code);
- the role of the national accreditation organization (art. 2-septiesdecies of the Privacy Code).
Legislative Decree 101/2018 repeals, inter alia, in Part One both Title II “Rights of the data subject” (Articles 7 – 10 of the Privacy Code) and Title III “General rules for data processing” (Articles 11 – 17 of the Privacy Code). These rules, once central in the internal regulations (for example, art. 7 relative to the “right of access to personal data and other rights” and art. 13 relative to the “Information“) have been repealed in order to give way to the direct application of the rules provided for by the GDPR. As already mentioned, in fact, the new Privacy Code and the GDPR, together with the provisions of the Privacy Authority, are the only sources of legislation on the protection of personal data.
Legislative Decree 101/2018 does not affect the validity of the measures issued by the Privacy Authority since 1997 (Article 22 of Legislative Decree 101/2018) on the basis of the principle of compatibility of each individual measure with the GDPR and the new Privacy Code. Attachments A1 to A7 of the Privacy Code remain provisionally applicable until the compatibility check that the Privacy Authority must carry out within 90 days of the entry into force of Legislative Decree 101/2018. Otherwise, Legislative Decree 101/2018 repeals Annex B (Technical regulations on minimum security measures) and Annex C (Non-occasional treatments in the judicial sphere or for police purposes) of the Privacy Code.
In the interests of continuity, Legislative Decree 101/2018 does not remove the validity of the General Authorisations issued by the Privacy Authority (although the Privacy Authority had already extended their validity with a measure dated 19 July 2018). Also for these, in fact, it is provided that the Privacy Authority must review them within ninety days from the date of entry into force of Legislative Decree 101/2018.
(III) Aspects of sanctions
Legislative Decree 101/2018 also intervened on the criminal sanctioning level, confirming the offences already provided for by the Privacy Code (with limited amendments to the extent of the penalty) and also introducing further offences such as: (i) the “Illegal communication and dissemination of personal data subject to large-scale processing” (art. 167 bis of the Privacy Code); (ii) the “Fraudulent acquisition of personal data subject to large-scale processing” (art. 167 ter of the Privacy Code) and (iii) the “Interruption of the performance of the duties or exercise of the powers of the Privacy Authority ” (art. 168, paragraph 2 of the Privacy Code).
As is well known, differently the discipline of criminal sanctions, the discipline of administrative sanctions is contained in the GDPR. In this sense, Legislative Decree 101/2018 repeals in the Privacy Code all the provisions of Title III, Chapter I on “Administrative violations“, establishing, by amending Article 166 of the Privacy Code, which administrative violations of the new Privacy Code should be sanctioned on the basis of the two different sanctioning options provided for in (i) Article 83, paragraph 4 of the GDPR (up to 10 million Euro or, for companies, up to 2% of the total annual worldwide turnover of the previous year, if higher) and (ii) Article 83, paragraph 5 (up to 20 million Euro or, for companies, up to 4% of the total annual worldwide turnover of the previous year, if higher).
For any further information feel free to contact the following professionals at our firm:
Avv. Giampaolo Grasso
Avv. Mario Distasi
Avv. Marika Manganaro
Tel: 0039 02 8282 6000