Privacy in Italy: overview

A Q&A guide to data protection in Italy.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Privacy Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Rocco Panetta and Adriano D’Ottavio, NCTM Studio Legale Associato
Contents

Legislation

1. What national laws (if any) regulate the right to respect for private and family life and freedom of expression?

The Italian Constitution (Constitution), promulgated on 27 December 1947 is the primary domestic law regarding the protection of fundamental rights. Article 2 of the Constitution provides that Italy "recognises and guarantees the inviolable rights of the person, both as an individual and in the social groups where human personality is expressed".

Inviolable rights include the:

  • Right to respect for private life, including the inviolability of the personal domicile (Article 14) and the freedom and confidentiality of correspondence and of every other form of communication (Article 15). Any restriction or limitation of these rights can only be imposed by judicial decision stating the reasons and in accordance with the guarantees provided by the law.

  • Rights of the family as a natural society founded on marriage (Article 29).

  • Right of freedom of expression (Article 21).

The right to respect for private and family life and freedom of expression are also protected under Articles 8 and 10 of the European Convention on Human Rights (ECHR). Italy ratified the ECHR with Law No. 848 on 4 August 1955. The Constitutional Court established that the ECHR does not have the status of a constitutional law (Judgments No. 348 and 349, 2007).

Legislative Decree No. 196/2003 (Italian Data Protection Code) (Code) provides for safeguards to the right to privacy, by establishing that "everyone has the right to protection of the personal data concerning them" (Article 1, Code).

 
2. Who can commence proceedings to protect privacy?

The data subject, that is any natural person that is the subject of the personal data, can commence proceedings to protect privacy.

 
3. What privacy rights are granted and imposed?

The Italian Data Protection Code recognises a set of rights towards data subjects. Data subjects must be informed of the:

  • Source of personal data.

  • Purpose and method of the processing.

  • Logic applied to the processing.

  • Identification of the data controller.

  • Data processor and data controller's representative (if any).

  • Entities and subjects to whom the personal data can be communicated.

Moreover, data subjects have the right to:

  • On legitimate grounds, to the processing of his personal data, even if relevant to the purpose of the collection.

  • Erase, anonymise or block the data that has been processed illegally, including data that was retained for different purposes than what it was collected for.

  • Receive certification from the entities to whom the data was communicated, provided that the above processes have been complied with (unless this requirement proves impossible or involves a manifestly disproportionate effort compared to the right that is to be protected).

Data subjects also have the right to object, in whole or in part:

  • On legitimate grounds, to the processing of his personal data, even if relevant to the purpose of the collection.

  • To the processing of his personal data, where it is carried out for the purpose of sending advertising materials or direct selling for the performance of market or commercial communication surveys.

 
4. What is the jurisdictional scope of the privacy law rules?

The Italian Data Protection Code (Code) ensures that personal data is processed by respecting data subjects' rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection. The processing of personal data must be regulated by giving a high level of protection for the data subjects' rights and freedoms. This must be in compliance with the principles of simplification, harmonisation and the effectiveness of the mechanisms by which data subjects can exercise such rights and data controllers can fulfil the relevant obligations (Article 2, Code).

 
5. What remedies are available to redress the infringement of those privacy rights?

Data subjects can apply to the Italian Data Protection Authority (IDPA) to lodge a:

  • Circumstantial claim in order to point out an infringement of the relevant provisions on the processing of personal data.

  • Report, if no circumstantial claim can be lodged, in order to call on the IDPA to check up on the relevant provisions for processing personal data.

  • Complaint with a view to establishing the specific privacy rights (see Question 3).

 
6. Are there any other ways in which privacy rights can be enforced?

Any dispute concerning data protection rights and the application of the provisions of the Italian Data Protection Code (Code) sit with the judicial authorities. Data subjects can start a civil proceeding in front of the judicial authority to obtain compensation for damage suffered as a result of an unlawful processing of their data.

The Code considers the processing of personal data as a dangerous activity with regard to liability, and provides for civil liability in cases of unlawful data processing. This is provided through interpretation of Article 15 of the Code and Article 2050 of the Italian Civil Code. Article 15 of the Code (Damage Caused on Account of the Processing) provides that whoever causes damage to another as a consequence of the processing of personal data will be liable to pay damages under Article 2050 of the Civil Code. Article 2050 of the Italian Civil Code (Liability for the Dangerous Activities Practices) establishes that whoever causes damage to another during the carrying out of any activity that is considered dangerous due to its nature or the means used, must indemnify the injured party, if he cannot prove that he has taken all the necessary measures in order to avoid the damage. In this respect, according to Article 2050 of the Italian Civil Code, a specific civil liability exists for data breaches, where a reversal of the burden of proof occurs.

In summary, whoever processes the data and causes a breach has the burden to prove that he has done everything possible in order to avoid the breach.

 

Contributor profiles

Rocco Panetta, Equity partner

NCTM Studio Legale Associato

T +39 06 6784977
F +39 06 6790966
E r.panetta@nctm.it
W www.nctm.it/en

Professional qualifications. Italy, Attorney at Law, Italian Bar Association

Areas of practice. Privacy and data protection compliance; Internet and telecommunications (regulatory and contracts) compliance; corporate and commercial law; environmental law; administrative law.

Professional associations/memberships. Secretary General of the ICF (Italian Compliance Forum); Member of the EU Advisory Board of IAPP (International Association of Privacy Professionals); Member of IBA, AIGI, IIP.

Languages. Italian, English, French

Publications

  • Getting the Deal Through – Data Protection & Privacy 2014 to 2016.
  • Italy Employment Records 2013 to 2014 – Data Guidance.
  • Libera Circolazione e Protezione dei dati personali, Giuffrè, 2007.
  • Codice Privacy, Giuffrè, 2008.
  • Codice Ambiente ed Efficienza Energetica, Giuffrè, 2011.

Adriano D’Ottavio, Associate

NCTM Studio Legale Associato

T +39 06 6784977
F +39 06 6790966
E a.dottavio@nctm.it
W www.nctm.it/en

Professional qualifications. Italy, Attorney at Law, Italian Bar Association

Areas of practice. Privacy and data protection compliance; IT and telecommunications (regulatory and contracts) compliance; new technologies; corporate and commercial law.

Professional associations/memberships. Member of the IAPP (International Association of Privacy Professionals); Member of the ICF (Italian Compliance Forum).

Languages. Italian, English

Publications

  • Getting the Deal Through – Data Protection & Privacy 2014 to 2016.

  • Italy Employment Records 2013 to 2014 – Data Guidance.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248291832995", "objName" : "Privacy in Italy overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/6-621-3323?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-3b01f5d1:15b06d304d1:586f", "analyticsSessionCookie" : "2-3b01f5d1:15b06d304d1:5870", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }