Data protection in Italy: overview
A Q&A guide to data protection in Italy.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
Please note: this Q&A was written before the ruling of the ECJ concerning the validity of the EU-US Safe Harbor framework. Therefore, the answers referring to safe harbours do not reflect the ruling.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
In Italy, personal data processing is based on and governed by Legislative Decree No. 196/2003, which contains the Italian Personal Data Protection Code (Code), which has implemented Directive 95/46/EC on data protection (Data Protection Directive) into the Italian legal system.
In general, apart from the Code, there are no further specific laws that regulate other areas of data protection. However, certain laws dealing with relevant data protection matters contain some relevant data protection provisions, as well as cross-references to the Code, including:
The Workers Statute. This law establishes several protections for employees.
Law No. 633/1941. This law provides for specific rules regarding copyright.
Legislative Decree No. 81/2008. This law provides for specific rules regarding health and security in the workplace.
Legislative Decree No. 206/2005 (Consumers' Code). This law provides for specific rules regarding consumer protection.
Legislative Decree No. 70/2003 ( E-Commerce Law). This law expressly establishes mandatory rules directly applicable in the e-commerce field.
In addition, the Italian Data Protection Authority (IDPA) is committed to issuing appropriate measures with regard to privacy and personal data protection matters. There are many areas directly regulated by the IDPA, including (but not limited to):
Biometric data processing.
Health data processing.
Data breach notifications.
Bank information processing.
Data processing carried out by system administrators.
Data processing for marketing and profiling purposes.
Scope of legislation
The Italian Personal Data Protection Code (Code) provides for guarantees for data subjects and mandatory requirements for those who process personal data.
In particular, the requirements provided for by the Code and other regulations apply to both natural persons and legal persons who are in charge of processing personal data. In addition, the Code makes a distinction between data controllers and data processors.
Data controllers have full autonomous decision making powers regarding the purposes and mechanisms of data processing operations and related security matters.
When data processors are selected (under the Code, selecting a data processor is optional for the data controller) they act on behalf of the data controller. Data processors must comply with the provisions that apply to data processing and related security matters.
In general, the Italian Personal Data Protection Code (Code) provides for a very broad definition of personal data. It is defined as any information relating to natural persons that are or can be identified, even indirectly, by reference to any other information including a personal identification number (Article 4(1)( b), Code). Therefore, personal data can also include information that does not directly provide the identification of a natural person, unless such information has been duly anonymised.
The Italian Personal Data Protection Code (Code) covers all personal data processing, that is any operation, or set of operations, carried out with or without the help of electronic or automated means, and concerning data (Article 4(1)(a), Code):
Destruction (regardless of whether the data is contained in a data bank).
The Italian Personal Data Protection Code (Code) applies to the processing of personal data (including data held abroad) where the processing is performed by any entity established in Italy or in a place that is under the Italian state's sovereignty.
The Code also applies to the processing of personal data that is performed by an entity established in a country outside the European Union (EU). This is where an entity uses (in connection with the processing equipment), whether electronic or otherwise that is situated in Italy. This is unless the equipment is used only for purposes of transit through the territory of the EU. In such a case, if the Code applies, the data controller must designate a representative established in Italy to implement the provisions relating to the processing of personal data
In general, the Italian Personal Data Protection Code covers all sectors and areas of data protection. However, in certain cases, specific rules apply to certain sectors and organisations, for example, rules applying to:
State defence and security matters.
Health-care professionals and public health-care bodies.
The Code expressly provides for certain specific exemptions from general data protection requirements, in particular regarding data processing by the police and in relation to other state defence and security matters.
Under the Italian Personal Data Protection Code (Code), data controllers must notify the Italian Data Protection Authority (IDPA) when they process the following types of data (among others) (Article 37, Code):
Genetic and biometric.
The notification must be provided before the data controller starts to process the data. The data controller can start to process the data as soon as the notification has been completed.
The IDPA expressly established cases of exemption from the notification obligation through a general resolution issued in 2004.
Letter (a) of Article 37 of the Code provides for mandatory notification for processing genetic data, biometric data, or other data that discloses the geographic location of individuals or objects by means of an electronic communications network. However, the IDPA determined that this notification requirement will not apply to:
Non-systematic processing operations of genetic and/or biometric data carried out by health care professionals, acting as controllers of such processing operations, concerning data that is not organised in a data bank accessible to third parties via electronic networks. This provision only applies to such data and operations, including communication, that are necessary for the purpose of safeguarding the data subjects' and/or third parties' health.
Processing of genetic and/or biometric data that is necessary as part of a legal operation to assist with investigations by defence counsel, as provided in Act No. 397/2000, and ultimately to establish or defend a legal claim that concerns a third party. This is on the condition that the claim is not overridden by the data subject's claim and that the data has been processed for the original purpose and for no longer than is absolutely necessary.
Processing of data that discloses the geographic position of air, sea, and ground transportation channels, where it is only carried out for the purpose of transportation security.
Letter (d) of Article 37 of the Code provides for data that is processed with the help of electronic means and with the aim of profiling the data subject and/or his personality, analysing consumption patterns and/or choices, or monitoring the use of electronic communications services. This is except for processing operations that are technically indispensable to deliver the services to users. The IDPA has determined that this notification requirement will not apply to the processing of personal data:
That is not grounded exclusively on an automated processing operation aimed at defining professional profiles, where the processing is carried out exclusively for occupational purposes or else for the purpose of managing the employer-employee relationship. This is except for the cases referred to in Letter (e) of Article 37(1) (see below).
That is not grounded exclusively on an automated processing operation aimed at defining an investor's profile, where the processing is carried out exclusively in order to fulfil specific obligations set out in financial brokerage legislation.
Letter (e) of Article 37 of the Code provides for sensitive data stored in data banks for personnel selection purposes on behalf of third parties. This is in addition to sensitive data used for opinion polls, market surveys and other sample-based surveys. The IDPA has determined that the notification requirement will not apply to the processing of sensitive data carried out:
For the sole purpose of personnel selection exclusively on behalf of entities belonging to the same company and/or banking group.
By public entities exclusively in order to fulfil specific obligations and/or duties as set out in employment and/or labour market legislation.
By trade associations and/or organisations for the sole purpose of carrying out sample surveys with regard to data concerning membership of such associations and/or organisations.
Letter (f) of Article 37 of the Code provides for data that is stored in ad hoc data banks managed by electronic means in connection with creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful and/or fraudulent conduct. The IDPA has determined that the notification requirement will not apply to the processing of personal data:
Carried out by public entities to keep public registers or publicly available lists.
That is stored in data banks used to keep in touch with a data subject in connection with the provision of goods or services, or else to comply with accounting and/or tax requirements as also related to breach of contract, factoring of receivables and litigations involving the data subject.
That is stored in data banks used by public and/or private entities exclusively to fulfil regulatory obligations concerning employment, social security, or assistance.
That are stored in data banks used by public bodies exclusively with a view to keeping and executing instruments, provisions and documents as related to the levying of taxes, imposition of administrative sanctions, or granting of licences, concessions, and authorisations.
Related to images and/or sound as temporarily stored for the sole purpose of securing and/or protecting individuals and/or property.
Main data protection rules and principles
Main obligations and processing requirements
The Italian Personal Data Protection Code (Code) provides for the following main obligations:
Personal data must be processed with respect for the data subjects' rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection.
Information systems and software must be configured by minimising the use of personal data and identification data. This must be done in a way that prohibits their processing if the purposes for processing can be achieved by using either anonymous data or providing suitable arrangements to allow the identification of data subjects only in necessary cases.
Personal data processing must be:
processed lawfully and fairly;
collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with the original purpose;
accurate and, where necessary, kept up to date;
relevant, complete and not excessive in relation to the purposes for which the data is collected or subsequently processed;
kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data is collected or subsequently processed;
commenced only if data subjects have been previously informed about the processing; and
commenced only if the data subjects have given their consent (see Question 9).
As a general principle, the Italian Personal Data Protection Code (Code) provides that personal data processing carried out by private entities or for-profit public bodies is only allowed if the data subject gives his express consent. This can refer to the processing as a whole or to one or more of the processing operations. In addition, the consent is only effective if:
It is given freely and specifically with regard to a clearly identified processing operation.
It is documented in writing.
The data subject has been given the proper information as provided in section 13 of the Code relating to data subjects (section 23, Code).
The data subject's consent must be in writing if the processing concerns sensitive data.
Consent to the data processing can also be given online.
A person under 18 years of age cannot give valid consent, and a parent or legal guardian must give the consent on behalf of the minor.
Under the Italian Personal Data Protection Code (Code) there are specific cases in which the processing of data can be carried out without obtaining the data subject's consent, including if it is:
Necessary to comply with an obligation imposed by a law, regulation or community legislation.
Necessary for the performance of obligations resulting from a contract to which the data subject is a party.
Concerns data taken from public registers, lists, documents or records that are publicly available, without prejudice to the limitations laid down by laws, regulations and community legislation regarding their disclosure and publicity.
Necessary to safeguard life or prevent injury to a third party.
Necessary for carrying out investigations by defence counsel.
Additional derogatory hypothesis are provided for in Articles 24 and 26 (for sensitive data) and other specific sections of the Code.
The Italian Personal Data Protection Code (Code) and some important guidelines issued by the Italian Data Protection Authority (IDPA) provide more stringent rules when the processing refers to (among other things):
The personal data of employees that is processed in the context of employment.
The Code establishes that sensitive data can only be processed with the data subject's written consent and the IDPA's prior authorisation, and by complying with the prerequisites and limitations set out in the Code (Article 26(1), Code).
The IDPA issues (generally on an annual basis) nine general authorisations most of which are related to sensitive data processing for specific sectors. Data that discloses health information cannot be distributed.
Other specific rules are expressly provided for by both the Code and general resolutions issued by the IDPA with particular regard to the:
Biometric data processing.
Processing of personal data in the health care sector.
Data processing carried out in the context of employment.
Bank information processing.
Processing of data in relation to mobile payments.
Processing of personal data by using cookies.
Rights of individuals
The data subject must be informed before the collection of data (either orally or in writing) about the:
Purposes of the processing for which the data is intended.
Voluntary or involuntary nature of providing the requested data.
Consequences in cases of failure to reply.
Entities or categories of entity to whom the data may be communicated, or who may get to know the data in their capacity as data processors, and the scope of dissemination of the data.
Rights recognised by the applicable law.
Identification of the data controller and, where designated, the data controller's representative in Italy.
Under Article 7 of the Italian Data Protection Code (Code) data subjects must be informed of the:
Source of personal data.
Purposes and methods of the processing.
Logic applied to the processing.
Identification of the data controller.
Data processor and data controller's representative (if any).
Entities and subjects to whom personal data can be communicated.
Data subjects must have the right to:
Update, rectify or integrate the data.
Erase, anonymise or block the data that has been processed illegally, including data that was retained for different purposes than what it was collected for.
Receive certification from the entities to whom the data was communicated, that the above processes have been complied with (unless this requirement proves impossible or involves a manifestly disproportionate effort compared to the right that is to be protected).
Data subjects also have the right to object, in whole or in part:
On legitimate grounds, to the processing of his personal data, even if relevant to the purpose of the collection.
To the processing of his personal data, where it is carried out for the purpose of sending advertising materials or direct selling for the performance of market or commercial communication surveys.
Data subjects do have the right to request the deletion of their data (see Question 13).
Under Article 33 of the Italian Data Protection Code (Code) data controllers are required to adopt certain minimum security measures.
Personal data processing carried out through electronic means
The following minimum security measures must be adopted:
Implementation of authentication credentials management procedures.
Use of an authorisation system.
Regular update of the specifications concerning scope of the processing perations that may be performed by the individual entities.
Protection of electronic means and data against unlawful data processing operations, unauthorised access and specific software.
Implementation of procedures for safekeeping backup copies and restoring data and system availability.
Implementation of encryption techniques or identification codes for specific processing operations performed by healthcare bodies in respect of data about health and sex life.
Personal data processing carried out without electronic means
The following minimum security measures must be adopted
Regular update of the specifications concerning scope of the processing operations that may be performed by the individual entities.
Implementing procedures, for example, safekeeping the records and documents committed to the entities in charge of the processing.
Implementing procedures to keep certain records in restricted-access filing systems and regulating access mechanisms with a view to enabling the identification of the entities in charge of the processing.
Under the Code, data controllers must also do the following:
Appoint persons to be in charge of the processing.
Appoint data processors (if any).
Appoint system administrators.
Create company policies, on topics such as:
use of the Internet and e-mail;
use of company password policy.
Under Article 32 bis of the Italian Data Protection Code (Code) a data breach notification is considered to be mandatory only for the provider of publicly available electronic communications services, who must notify the breach to the Italian Data Protection Authority (IDPA) without undue delay. In addition, if the personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the provider must also notify the contracting party or the individual without delay. Notification will not be required if the provider has demonstrated to the IDPA that he has implemented technological protection measures that render the data unintelligible to any entity that is not authorised to access it.
The IDPA recently issued a resolution providing that data breach notification is also an appropriate measure to be adopted by banks and other companies belonging to a banking group, including third companies operating in outsourcing and that process bank information. The IDPA also provides that data breach notification is a mandatory measure to be adopted by data controllers that process biometric data.
Processing by third parties
The Italian Data Protection Code (Code) allows personal data to be transferred to third entities providing outsourced processing services, where the transfer is legitimised by a contract or agreement between the data controller and outsourcer. However, such a transfer needs to be carried out by ensuring the due protection of the data. For example, in such a case, it is important to establish within the contract or agreement how the external provider will act with reference to the data protection profile (that is, whether the external provider will act as an autonomous data controller or as a data processor).
If the third party acts on behalf of the data controller, the third party must be appointed as data processor and the data controller will have the duty to:
Provide him with the due instructions about the processing operations.
Periodically verify that the data processor is always able to guarantee compliance with the legal provisions applying to processing and related security matters.
Different regimes apply in relation to the sending of spam.
The use of automated communications systems (without human intervention) for the purposes of direct marketing or sending advertising materials, or else for carrying out market surveys or interactive business communication, must only be allowed with the contracting party's or user's consent. This applies to electronic communications performed by e-mail, facsimile or MMS or SMS-type messages.
For phone numbers that have been taken from public registers, lists, records and publicly available documents, the related processing can be performed without the data subject's consent, provided that the data subject has not objected to the processing by his registering with the Opposition Register. This is similar to a Robinson list (an opt-out list of people who do not wish to receive marketing transmissions). A similar register has not yet been implemented for the mail.
The Italian Data Protection Authority (IDPA) has also issued some important measures and general resolutions to be taken into consideration, including the recent resolutions concerning the guidelines on promotional activities and spam, issued by the IDPA on 4 July 2013 and the guidelines on the activities of online profiling, issued by the IDPA on 19 March 2015.
International transfer of data
Transfer of data outside the jurisdiction
The Directive 95/46/EC on data protection (Data Protection Directive) and the Italian Data Protection Code (Code) allows data transfer inside the European Union (EU) and European and Economic Area (EEA).
Under the Code, data transfer to third countries located outside the EU and EEA is not always allowed. The main ways for allowing international data transfers are by:
Obtaining the data subject's express consent.
Incorporating standard contractual clauses (SCC).
Incorporating binding corporate rules (BCR).
Providing adequate protection decisions.
The Code provides for further specific derogations that can legitimate the data transfer abroad, including if the transfer is necessary:
For the performance of obligations resulting from a contract to which the data subject is a party, or to take steps at the data subject's request prior to entering into a contract, or for the conclusion or performance of a contract made in the interest of the data subject.
For safeguarding a substantial public interest that is referred to in laws or regulations. To safeguard a third party's life or prevent injury.
For investigations by defence counsel, or else to establish or defend a legal claim, provided that the data is transferred exclusively for these purposes and for no longer than is necessary, and in compliance with the laws applying to business and industrial secrecy.
Restrictions are provided for the transfer of personal data outside the EU and the EEA. If the data is transferred within the EU or the EEA, no particular restrictions are established, due to the principle of free movement of personal data among EU member states.
Both the law and the Italian authorities can provide restrictions with specific reference to certain purposes of data processing. For example, with regard to prize draws, the law establishes that for online prize contests, the server collecting the entries must be located in Italy. If the server is located abroad, the data concerning the contest's participants must be mirrored in real time from the abroad server to an Italian one.
Data transfer agreements
The Italian Data Protection Authority (IDPA) recognises the standard contractual clauses adopted by the EU Commission as a tool to guarantee the protection of the data transferred (see Question 20).
Enforcement and sanctions
The Italian Data Protection Authority (IDPA) must act autonomously and independently in its decisions and assessments.
The IDPA's powers mainly consist of:
Verifying whether data processing operations are carried out in compliance with laws and regulations.
Receiving reports and complaints, and responding by taking appropriate steps.
Ordering data controllers or processors, ex officio, to adopt necessary or appropriate measures for the processing to comply with the provisions.
Prohibiting, ex officio, unlawful or unfair data processing operations, in whole or in part, or blocking such processing operations.
Drawing the attention of parliament and government to the advisability of legislation as required by the need to protect the rights.
Having a preference with regard to information on facts or circumstances that amount to offences to be prosecuted ex officio.
In discharging its tasks, the IDPA can request the data controller, the data processor, the data subject or a third party to provide information and produce documents.
The IDPA can order that data banks and filing systems be accessed and audits be performed on the spot regarding the premises where the processing takes place or investigations are to be carried out with a view to checking compliance with personal data protection regulations. Such inquiries must be carried out by staff from the office. The IDPA can also ask for the co-operation of other state agencies.
In specific cases of non-compliance with the applicable law on privacy and data protection requirements, the IDPA can impose administrative fines provided in Articles 161 of the Italian Data Protection Code (Code).
The Italian Data Protection Authority (IDPA) can:
Order data controllers or processors, ex officio, to adopt necessary or appropriate measures for the processing to comply with the provisions.
Prohibit, ex officio, unlawful or unfair data processing operations, in whole or in part, or blocking such processing operations.
Under the Italian Data Protection Code (Code) breaches of data protection can lead to administrative penalties of fines of up to EUR2,448,000. Section 161 to section 166 of the Code provides for administrative penalties in the following cases:
Where an inadequate information notice has been provided to the data subjects.
There has been an assignment of data in breach of the law.
Unlawful data processing (for example, where breaches concern the information notice, consent, sensitive data, traffic data, location data, unsolicited communications).
Data retention in breach of the law.
Failure to notify a data breach notification.
Failure to submit a notification or submitting an incomplete notification.
Failure to provide information or produce documents to the IDPA.
Where one or more of the provisions are repeatedly violated on different occasions, in connection with especially important or large databases, additional administrative penalties will be applied (section 164 bis (2), Code). In other more serious cases (in particular if the damaging effects of the breach are more substantial or if the violation concerns several data subjects) the upper and lower thresholds of the applicable fines will be doubled (section 16 bis (3), Code). In addition, the fines will be increased by up to four times the amount if the original fine is ineffective on account of the offender's economic status (section 164 bis (4), Code). Under section 165 of the Code, an additional administrative penalty can be applied whereby the injunctive order must be published (in whole or in part) in one or more newspapers as specified in the relevant provision. The offender must be responsible for the publication and bear the relevant costs.
Under the Code, breaches of data protection can lead to criminal penalties of imprisonment of up to three years. Section 167 to section 172 of the Code provides for criminal penalties in cases of:
Unlawful data processing (for example, breaches that concern the information notice, consent, sensitive data, traffic data, location data, and unsolicited communications).
Untrue declarations and notifications submitted to the IDPA.
Failure to comply with the security measures set out by the Code.
Failure to comply with provisions issued by the IDPA.
Other mandatory obligations relating to the employees' personal data protection.
In these cases, the IDPA will inform the judiciary authority with regard to information on facts or circumstances that amount to offences that will be prosecuted ex officio, and that it has discovered either in discharging its duties or on account of its duties.
Italian Data Protection Authority (Garante per la protezione ei dati personali) (IDPA)
Main areas of responsibility. The IDPA is an independent authority set up to protect fundamental rights and freedoms in connection with the processing of personal data, and to ensure respect for individuals' dignity.
Description. The Italian Data Protection Authority's website provides information about data protection.
Rocco Panetta, Equity partner
NCTM Studio Legale Associato
Professional qualifications. Italy, Attorney at Law, Italian Bar Association
Areas of practice. Privacy and data protection compliance; Internet and telecommunications (regulatory and contracts) compliance; corporate and commercial law; environmental law; administrative law.
Professional associations/memberships. Secretary General of the ICF (Italian Compliance Forum); Member of the EU Advisory Board of IAPP (International Association of Privacy Professionals); Member of IBA, AIGI, IIP.
Languages. Italian, English, French
- Getting the Deal Through – Data Protection & Privacy 2014 to 2016.
- Italy Employment Records 2013 to 2014 – Data Guidance.
- Libera Circolazione e Protezione dei dati personali, Giuffrè, 2007.
- Codice Privacy, Giuffrè, 2008.
- Codice Ambiente ed Efficienza Energetica, Giuffrè, 2011.
Adriano D’Ottavio, Associate
NCTM Studio Legale Associato
Professional qualifications. Italy, Attorney at Law, Italian Bar Association
Areas of practice. Privacy and data protection compliance; IT and telecommunications (regulatory and contracts) compliance; new technologies; corporate and commercial law.
Professional associations/memberships. Member of the IAPP (International Association of Privacy Professionals); Member of the ICF (Italian Compliance Forum).
Languages. Italian, English
Getting the Deal Through – Data Protection & Privacy 2014 to 2016.
Italy Employment Records 2013 to 2014 – Data Guidance.