Italian Data Protection Code Reformed To Enact GDPR. What Is New?

Author:Mr Giangiacomo Olivi

Legislative decree no. 101 of August 10, 2018 (Decree), amending and adapting the Italian Data Protection Code (Legislative decree no. 196/2003, Data Protection Code or DPC) to the GDPR, has been issued on September 4, 2018 in the Official Journal and entered into force on September 19, 2018. The new DPC is available (in Italian only) at the following link.

The analysis of the Decree reveals a legislative technique aimed at developing most of the 'open clauses' contained in the GDPR, i.e. those allowing member states to specify further certain aspects of the provisions concerned (for instance, those related to children's consent and the processing of special categories of personal data).

Herein you will find a summary of the main provisions of the Decree.

A. Children's consent in relation to information society services Children who have reached the age of 14 years can validly express their consent to data processing in relation to the offer of information society services. The holder of parental responsibility over the child must give consent where the child is below the age of 14 years. In this regard, the GDPR sets the minimum age of 16 years old, but allows member states to fix a lower age for granting valid consent. This is an example of how the Italian legislator benefitted from a GDPR open clause. Considering such age limit, online content requests will have to be devised so that they are appropriate for children of at least 14 years of age. This, without prejudice to the specific law provisions concerning the required age for the execution of contracts. B. Safeguard measures for the processing of biometric, genetic and health-related data Biometric, genetic and health-related data can be processed if specific safeguard measures (including security measures, such as encryption and pseudonymization) are implemented. The Italian DPA (Garante) will establish such safeguards at least on a two-yearly basis (see also lett. G below). This is a further specification of Article 9 (4) of the GDPR, concerning the processing of special categories of personal data, allowing member states to introduce additional conditions and limitations with regard to the special categories of personal data. This means that, under Italian law, the processing of such data may be subject to particularly strict requirements. Such a provision enhances the protection of biometric, genetic and health-related data, but it creates further burdens for data controllers...

To continue reading