Stage of legislative progress 
Eg. pre-consultation, in consultation

On May 11 a new official Legislative Decree Scheme ("Scheme") was published which will not repeal the current Italian Data Protection Act ("IDPA") but rather it will amend the provisions of the IDPA in conflict with the GDPR.
https://bit.ly/2IuMS4b

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

The Scheme will amend the IDPA provisions in conflict with GDPR.

Timescale for implementation 
Eg. pre-consultation, in consultation

At the moment the Scheme is under consideration by the relevant Commission and the Italian Data Protection Authority ("DPA"). 
According to unofficial information, the Scheme will be approved by the end of May and will enter into force on May 25, as set out by the section 28 of the Scheme, or at the latest at the time of its approval.
 



Areas where Member States must have local laws:

Personal data and freedom of expression 

No deviations from GDPR.

On the basis of the provisions of the Scheme, the Code of Practice concerning the processing of personal data in the exercise of journalistic activities (Annex A of IDPA) will remain in force.

Penalties

Section 15 of the Scheme amends some IDPA provisions, in particular there are criminal sanctions for the following:

a) unlawfully processing (i) traffic data relating to contracting parties and users that are processed by the provider of a public communications network or publicly available electronic communications service and (ii) location data other than traffic data. 
b) automated calling or communications systems without human intervention for the purposes of direct marketing or sending advertising materials (without the data subject's consent) and the data processing is in breach of the provision concerning the Calling Line Identification.
Criminal sanction:
Imprisonment for between six and eighteen months.

c) unlawfully processing special categories or data/criminal records data
Criminal sanction: Imprisonment for between twelve and thirty-six months.
d) unlawfully transferring data to a third country in breach of the conditions set out in Sections 45, 46 and 49 GDPR.
Criminal sanction: Imprisonment for between twelve and thirty-six months.
e) declaring or attesting to untrue information or circumstances, or else submitting forged records or documents in a proceeding before the Italian DPA and/or in the course of inquiries.
Criminal sanction:
Imprisonment for between six months and three years.

Furthermore, Section 15 of the Scheme introduces new offences in the IDPA, in particular:

the disclosure  or dissemination of personal data relating a large number of people in breach of various Section 2 provisions of IDPA.
Criminal sanction: Imprisonment for between one and six years.

the disclosure or dissemination of personal data relating a large number of people without their consent, when it was the necessary lawful basis.
Criminal sanction: Imprisonment for between one and six years.

fraudulently acquiring personal data relating a large number of people.
Criminal sanction:
Imprisonment for between one and four years.

Lastly, it is to be noted that Section 172 IDPA foresees that being convicted of any of the offences referred to in this Code shall entail publication of the relevant judgment.



Areas where Member States may have local laws:

Professional secrecy 

In relation to professional secrecy in the journalistic profession, Section 138 IDPA, as amended by means of Section 11 of the Scheme, restricts the data subject's right to obtain from the controller the information referred to Section 15 GDPR insofar the data subject can not request to be informed of the source of the personal data.

Scientific, historical or statistical purposes 

Amended Section 99 IDPA, allows personal data to be processed; stored; & transferred to another controller after the normal period for processing of personal data and even after the termination of the main data processing if these processing will be carried out for scientific, historical or statistical purposes as well as at archiving in the public interest.

Amended Section 106 IDPA - the Italian DPA is to promote rules for professional and ethical conduct for processing for statistical purposes or for scientific research. Rules to apply both to public and private bodies, scientific societies and professional associations. Aim of the guidance is to 
identify adequate guarantees for the rights and freedoms of the data subject in accordance with Article 89 GDPR. 
 
Amended Section 110 IDPA: possible to carry out scientific and medical research, using special categories of data, without consent in certain circumstances. 
 
Amended Section 110-bis IDPA: ability for the Italian DPA to authorise secondary uses of special category data for scientific and statistical research, in situations where it is impossible or would involve a disproportionate effort to inform all  data subjects. Does not apply to genetic data.

Employment

No material derogations. It should be highlighted that the Section 21 of the Draft states that the Italian DPA will identify, within 90 days following the entry into force of the Draft, which ones of the general regulatory measures (issued so far by Italian DPA itself) will remain fully valid in force (e.g. guidelines on biometric data, processing of data at work).

Personal data of deceased persons 

The Section 2-duodecies of the IDPA, as amended by means of the Draft, foresees that the rights referred to in Sections 15 to 22 GDPR referring to personal data concerning deceased people can be activate by the subject who has an interest in the protection, by his agent, or for family reasons worthy of protection ("Representative").

The exercise of the subject's rights by the Representatives is not allowed in the cases set out by law or when, insofar to the direct offer of information society services, the data subject has expressly forbidden it with a written declaration provided or communicated to the data processing controller

Children online

Pursuant to Section 2-quinques of the IDCA, as amended by means of the Scheme, in relation to the information society services, the consent is valid and lawful whether it has been provided by a minor at least of the age 16 years. (= no deviation from GDPR benchmark).

Furthermore, pursuant to the aforementioned Section, under the age of 16 years the consent still has to be given by the holder of parental responsibility but it's been removed the possibility to give an authorization referred to in Section 8, 1) GDPR.

Special rules for special categories of data
It has been specified the meaning of "substantial public interest" (Section 9, 2, letter g) GDPR) by means of the Section 2-sexies, 2, letters from a) to v) as a viable lawful basis for processing of special categories of personal data. 

Genetic, biometric or health data

Section 2-septies,IDPA: Italian DPA to adopt safeguards for genetic, biometric and health data processing every 2 years. Draft specifies how the guidelines should be adopted and the principles which are to be taken into account by DPA. High risk processing of genetic data requires further safeguards - consent can be a further safeguard. Genetic, biometric and health data cannot be disseminated.

Designation of a Data Protection Officer

The Italian DPA, referring to the relevant WP29 guidelines, has provided some guidance on the categories of data controllers that more likely fall under the obligation to appoint a DPO (e.g. financial institutions, insurance companies, financial information systems, credit collection companies, surveillance companies, etc).

National identification numbers/any other identifier of general application

n/a


Other:

Any other areas under discussion

The Garante Guide notes that:

  • Controllers and Processors should use symbols and icons suggested by DPA's Decisions on CCTV systems and banks, together with a complete and exhaustive privacy notice;
  • DPA will provide guidance on meaning of "reasonable fees" and security measures for processing sensitive data;
  • measures appointing staff to process and track bank users' activity should be maintained; and
  • records of  processing activities for organisations with fewer than 250 persons employed should be maintained.