Legislative Decree 10/08/2018, no. 101 was published in the Official Gazette no. 205 of 4/9/2018, containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”.

The text published in the Official Gazette was approved by the Council of Ministers on 8/8/2018. This is a long-awaited measure, both for the enabling law to the Government and for the application of EU Regulation 2016/679 (GDPR) since last May 25. This amendment to the privacy code became necessary, as the text of Legislative Decree 196/2003 presented rules in conflict with those of higher rank (principle of hierarchy of sources) contained in the GDPR.

Here are some insights on the main novelties introduced to the privacy code.

  1. The processing of personal data takes place according to the provisions of EU Regulation 2016/679 and the privacy code. Therefore, the primary regulatory reference becomes the GDPR on the basis of which national provisions have been adapted.
  2. Regarding information society services, minors will be able to express their consent upon reaching 14 years of age, while for minors under 14 years of age the consent of those exercising parental responsibility is necessary. It will be necessary to understand how the verification of reaching 14 years of age can be concretely demonstrated.
  3. The conditions for processing special categories of personal data for reasons of substantial public interest are specified, as well as for processing health data.
  4. Biometric data: in compliance with the principles on personal data protection contained in Article 32 of the GDPR on security measures, the use of biometric data in physical and logical access procedures to data by authorized persons is permitted (the text indicates “authorized subjects”). Disclosure is excluded in any case.
  5. The conditions for restrictions are specified.
  6. Judicial proceedings: acts, documents and measures used in court proceedings based on the processing of personal data are governed by procedural provisions.
  7. Authorized persons: the controller or processor may identify specific tasks and functions to “designated persons” who are part of the organization. In reality, the GDPR refers to “authorized persons” (Article 3 and Article 29) and not, instead, to designated persons. Obviously, designated persons should be considered as “authorized” according to the GDPR formulation, also considering the use of the expression “authorized persons” - contained in EU Regulation 2016/679 - in other parts of the modified privacy code. Therefore, this was a terminological oversight by the legislator.
  8. National accreditation body: the Authority is given the power to directly assume the exercise of such functions and in case of serious non-fulfillment of the tasks of the National Accreditation Body, also with reference to one or more categories of processing. The rule, as formulated, introduces the possibility of intervention by the Authority in the presence of the condition (in fact the conjunction “and” is used) of a “serious non-fulfillment” of the tasks of the National Accreditation Body. In this way, the Authority’s power also extends to the activities proper (no limitation is specified except through a hermeneutic approach that must consider what is provided by the GDPR) of the National Accreditation Body. However, the formulation adopted leaves room for some uncertainties: who can determine that there is a “serious non-fulfillment” of the National Accreditation Body? How is a “serious non-fulfillment” ascertained that legitimizes the intervention of the Authority? Such a formulation could give rise to conflicts between the Accreditation Body and the Authority.
  9. Novelties introduced in processing in the public sphere.
  10. Novelties also in the health sector.
  11. Interventions regarding processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.
  12. Modifications introduced in employment matters. For spontaneously transmitted curricula, the principle of information to be provided at the time of the first useful contact remains firm.
  13. Clarifications on electronic communications.
  14. Modified remedies available before the Authority (complaints and reports).
  15. Clarifications on tasks, powers and functioning of the Authority.
  16. Modified sanctioning system, including criminal sanctions.
  17. Codes of ethics and good conduct: extension of effectiveness until the definition of the approval procedure based on the new conditions.
  18. General authorizations: extension of effectiveness until the adoption of rules of conduct.
  19. Application of sanctions: for the first eight months from the entry into force of the decree in question, the Authority must take into account - in the application of sanctions - the phase of first application of the sanctioning provisions. The rule, as formulated, gives rise to interpretative uncertainties since it is not clear in what way the Authority concretely takes into account the first application. An extensive interpretation would suggest that the Authority should apply lighter sanctions (?). If so, a principle of mitigation of sanctions not contemplated in the GDPR would be introduced with consequent obvious conflict with rules of primary rank.

The regulatory technique used is debatable, since an amendment to Legislative Decree 196/2003 was made through repeals and introduction of rules that refer to the GDPR. A different intervention would have been more effective that would have limited interventions to the special part, leaving space only for appropriate regulatory clarifications of the general part where it was necessary to clarify the general principles expressed by the GDPR that require integration with national discipline.