|Stage of legislative progress
|Eg. pre-consultation, in consultation
The Legislative Decree no. 101 of 10 August 2018 (hereinafter, the "Decree") implementing the GDPR has been published in the Official Journal on September 4 2018.
|Approach to implementation
|Eg. amendments to existing law, total repeal of old laws|
The Decree did not repeal the current Data Protection Act (hereinafter, "IDPA") but solely amended any provisions of the IDPA conflicting with the GDPR. It now contains only residual provisions in addition to those of the GDPR which are directly applicable.
A small number of the provisions contained in the Decree are not included in the IDPA. Thus the new final legal framework is quite complex:
|Timescale for implementation
|Eg. pre-consultation, in consultation|
In force. It is possible to read the consolidated text of the IDPA, as amended by the Decree, at the following link: https://bit.ly/2DcqPhm
Areas where Member States must have local laws:
|Personal data and freedom of expression
IDPA title XII - sections 136-137-138-139.
The code of practice on the processing of personal data & journalistic activities (Annex A.1 of IDPA) remains in force. The compatibility of this code with the GDPR will be reassessed by the Italian Data Protection Authority (hereinafter, the "Authority"). The Authority should review it before the end of the calendar
Sections 167, 167 bis and 167 ter of the IDPA provide sanctions (including criminal sanctions) for whoever, with the view of obtaining a personal gain, a gain for a third party or with the intent to cause harm to another: unlawfully processes, transfers, discloses, disseminates or fraudulently acquires personal data.
Furthermore, Section 168 of the IDPA provides sanctions (including criminal sanctions) if you communicate or attest false information or if you intentionally try to interrupt or disrupt an ongoing procedure/investigation of the Authority.
Section 170 IDPA provides sanctions (including criminal sanctions) for people who do not respect the measures adopted by the Authority under the articles 58 (2) (f) GDPR, 2-septies (1) IDPA as well as the general measures referred to in article 21(1), of the legislative decree implementing article 13 of law no. 163 of 25 October 2017
Section 171 IDPA, provides sanctions in the field of employment for employers breaching the guarantees on remote controls and monitoring of employee (Articles 4 and 8 of the Italian Workers' Statute).
Lastly, it is to be noted that Section 172 IDPA provides that being convicted of any of the above criminal offences shall entail publication of the relevant judgment.
Areas where Member States may have local laws:
On Journalistic sources, Section 138 IDPA restricts the data subject's right of access insofar that the data subject cannot request the source of the personal data.
|Scientific, historical or statistical purposes
IDPA Section 99, allows personal data to be processed; stored; & transferred to another controller after the normal period for processing and even after the termination of the main processing if carried out for scientific, historical or statistical purposes as well as archiving in the public interest.
Section 106 IDPA - the Authority will issue guidance for the processing of personal data for statistical or scientific research purposes.
These rules will apply both to public and private bodies, scientific societies and professional associations. The aim of the guidance is to identify adequate guarantees for the rights and freedoms of the data subject in accordance with Article 89 GDPR.
Section 110 IDPA: provides for the possibility to carry out scientific and medical research, using special categories of data, without consent in certain circumstances.
Section 110-bis IDPA: ability for the Authority to authorize secondary uses of special category data for scientific and statistical research, in situations where it is impossible or would involve a disproportionate effort to inform all data subjects. It does not apply to genetic data.
Section 111 of IDPA states that the Authority promotes the adoption of ethical rules for public and private subjects interested in the processing of personal data carried out in the context of employment.
Section 111-bis IDPA provides that the information referred to in Article 13 of the GDPR, in cases of receipt of a direct application is provided at the time of the first contact. Within the limits of the purposes referred to in Article 6, paragraph 1, letter b) of the Regulations, consent to the processing of personal data contained in curricula CV is not required.
Section 21 of the Decree states that the Authority is to identify, within 90 days following the entry into force of the Decree itself (before the end of the calendar year), which of the general regulatory measures will remain fully valid (e.g. guidelines on biometric data, processing of data at work).
|Personal data of deceased persons
Section 2-terdecies of the IDPA provides that the rights referred to in Sections 15 to 22 of the GDPR for deceased people can be activated by a data subject who has an interest in the protection, by his agent, or for family reasons worthy of protection ("Representative").
The exercise of the subject's rights by the Representative is not allowed in the cases set out by law or when, the data subject has expressly forbidden it with a written declaration provided or communicated to the data controller.
|Special rules for special categories of data
|Genetic, biometric or health data
IDPA Section 2-septies, 1. Guidance on the safeguards for the processing of genetic, biometric and health data processing should be issued every 2 years.
In case of high risk processing of genetic data, consent can be a further safeguard, and/or others should be applied (Section 2-septies, (6)). Genetic, biometric and health data cannot be disseminated (Section 2-septies, (7)).
Within 90 days from the entry into force of the Decree (last term is on 18th December 2018) the Authority will identify the applicable safeguards. The existing authorization regime will remain applicable for the processing of genetic and health data until it is replaced by the upcoming safeguards.
|Designation of a Data Protection Officer
|National identification numbers/any other identifier of general application
|Any other areas under discussion
The Authority has highlighted that: