A Q&A guide to data protection in Italy.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The processing of personal data is regulated by Legislative Decree 30 June 2003, no. 196 (Code), which implemented Directive 95/46/EC on data protection (Data Protection Directive) and Directive 2002/58/EC on the protection of privacy in the electronic communications sector (Privacy and Electronic Communications Directive).
There are no applicable sectoral laws.
The Code applies to any personal data processing activity performed by any entity established either (Article 5, Code):
In Italian territory.
In a place under Italian sovereignty.
Outside the EU, where an entity makes use of equipment, whether automated or non-automated, situated in Italian territory, unless equipment is only used for purposes of transit through the territory.
The Code also applies to any processing performed by natural persons for exclusive personal purposes if the data are intended for systematic communication or dissemination. The provisions concerning civil liability and security measures apply in any case.
The processing of personal data can be carried out by:
Data controller. This is any natural or legal person, public authority, body, association or other agency which, also jointly with another data controller, determines the purposes and means of the processing of personal data as well as the relevant means, including security matters (Article 4, ss. 1 f), Code).
Data processor. This is any natural or legal person, public administration, body, association or other agency which processes personal data on the data controller's behalf (Article 4, ss. 1 g), Code).
Persons in charge of the processing. These are natural persons who have been authorised by the data controller or processor to carry out processing operations (Article 4, ss. 1 h), Code).
Following a recent amendment to the Code, the concept of personal data has been limited to information relating to natural persons, identified or identifiable, even indirectly, by reference to any other information including a personal identification number (Article 4 b), Code). Sub-categories of personal data include sensitive data (see Question 11), judicial data, and traffic and location data.
The range of acts covered by the Code is very wide, including the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilisation, interconnection, blocking, communication, dissemination, erasure and destruction of data.
The location in Italy of the establishment of the data controller, in whose context of activity the processing takes place, or the location in Italy of the means or equipment being used (when the data controller is established outside the EU) are relevant to determine the application of Italian law. Therefore, a data controller established outside the EU might still be subject to Italian law, unless the means located in Italy are only used for the transit of data (see Question 2). Neither the data subject's nationality or domicile nor the location of storage of the personal data are relevant.
The Code does not apply to the processing of personal data of legal persons, bodies and associations, nor to processing performed by natural persons for exclusively personal purposes, apart from the exceptions in Question 2. Some types of processing are exempt from specific provisions of the Code (for instance processing in the judicial sector or if performed by the police).
A data controller has a responsibility to notify the Data Protection Authority (DPA) of the processing of personal data if processing exclusively concerns:
Genetic data, biometric data, or other data disclosing geographic location of individuals or objects by means of an electronic communications network.
Data disclosing health and sexual orientation and activity where processed for certain health-related reasons.
Data disclosing sexual orientation and activity and the psychological profiles where processed by not-for-profit associations, bodies or organisations, that have a political, philosophical, religious or trade-union character.
Data processed using electronic means aimed at profiling the data subject and/or his personality, analysing consumption habits and/or choices, or monitoring use of electronic communications services, except for such processing operations that are technically indispensable to deliver said services to users.
Sensitive data stored in data banks for personnel recruitment purposes on behalf of third parties, as well as sensitive data used for opinion polls, market surveys and other sample-based surveys.
Data stored in ad hoc data banks managed by electronic means in connection with creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful and/or fraudulent conduct.
As a general obligation, personal data must be:
Processed lawfully and fairly.
Collected and recorded for specific, explicit and legitimate purposes and used in further processing operations consistent with these purposes.
Accurate and, when necessary, kept updated.
Relevant, complete and adequate in relation to the purposes for which they are collected or subsequently processed.
Kept in a form which permits identification of the data subject for a period of no longer than that necessary for the purposes for which the data were collected or subsequently processed.
The main obligations imposed on data controllers are to:
Provide the data subjects with prior information on the processing of their personal data.
Obtain, if necessary, the data subject's consent.
Implement technical or organisational security measures.
Seek the DPA's authorisation for the processing of sensitive data (see Question 11).
File, if necessary, notification to the DPA.
The scope of such obligations may vary depending on the data controllers' nature or area of activity.
Processing of personal data by private entities or by profit-seeking public bodies is allowed only if the data subject has provided a valid prior consent. To be considered as valid, consent must be:
Based on proper prior information.
Specific with regard to a clearly identified processing.
Documented in writing.
In writing if the processing concerns sensitive data.
Specific rules may apply to processing carried out by public authorities.
In certain cases processing can be carried out without a data subject's prior consent if it:
Is necessary to comply with an obligation imposed by a law or by EU regulations.
Is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or for compliance with specific requests made by the data subject before entering into a contract.
Concerns data taken from public registers, lists, documents or records that are publicly available, without prejudice to the limitations laid down by the applicable legislation with regard to their disclosure and publicity.
Concerns data relating to economic activities, as long as they are processed in compliance with applicable legislation on business and industrial secrecy.
Is necessary to safeguard life or bodily integrity of a third party.
Is necessary (with the exclusion of dissemination) for carrying out investigations by defence counsel or to establish or defend a legal claim, provided that the data are exclusively processed for these purposes and for no longer than is necessary as well as in compliance with the applicable legislation on business and industrial secrecy.
Is necessary (with the exclusion of dissemination) to pursue a legitimate interest of either the data controller or a third party recipient in cases specified by the DPA.
Is carried out (except for external communication and dissemination) by non-profit associations, bodies or organisations, recognised or not, with regard either to entities having regular contact with them or to members, to achieve specific and lawful purposes as set out in the relevant memorandums, articles of association or collective agreements.
Is exclusively necessary for scientific or statistical purposes and for purposes in compliance with respective codes of professional practice.
Concerns information contained in CVs spontaneously sent by data subjects for the purposes of an eventual hiring.
Except for dissemination and subject to rules on unsolicited communications, concerns communication of data between companies, bodies and/or associations being part of the same group, or between consortiums, corporate networks and/or corporate joint ventures and the respective members, for administrative and accounting purposes, providing that such purposes are expressly referred to in the information notice given to data subjects under Article 13 of the Code (see Question 12).
Specific provisions can apply to the processing operations in specific sectors, such as judicial, public security, health care, electronic communications, and so on.
Sensitive data are those allowing the disclosure of:
Racial or ethnic origin.
Religious, philosophical or other beliefs.
Membership of parties, trade unions, associations or organisations of a religious, philosophical, political or trade-unionist character.
Personal data disclosing health and sexual orientation and activity.
Sensitive data can generally be validly processed with both:
The data subject's written consent.
The DPA's prior authorisation (the DPA periodically issues general authorisations for certain types of processing).
These conditions do not apply to the processing of:
Data concerning members of religious entities having regular contact with those entities for exclusively religious purposes.
Data concerning the affiliation of trade unions and/or trade associations or organisations to other trade unions and/or trade associations, organisations or confederations.
Data contained in CVs spontaneously sent by the data subjects.
Sensitive data can also be processed without the data subject's consent, subject to the DPA's authorisation if it is necessary:
For specific, lawful purposes as set out in relevant memorandums, articles of association or collective agreements of not-for-profit associations, bodies or organisations, whether recognised or not, of a political, philosophical, religious or trade-unionist nature, regarding personal data of members and/or entities having regular contact with those association, bodies or organisations. This is provided certain conditions are met (for example, no communication or dissemination, adoption of safeguards and prior notice to data subjects).
To protect a third party's life or bodily integrity.
For, and within the limit of, carrying out investigations by defence counsel or to establish or defend a legal claim. If the data can disclose health and sexual orientation and activity, the right claimed must be a personal right or another fundamental, inviolable right or freedom.
To comply with specific obligations and/or tasks laid down by applicable employment legislation regarding occupational and population hygiene, and safety and social security and assistance purposes.
Data disclosing the data subject's health status can never be disseminated.
Some basic information must be provided to the data subject at the time of collection or, in case of collection through third parties, no later than at the moment of recording of data or of their first communication (Article 13, Code). This information includes:
The purposes and methods of the processing.
The mandatory or voluntary nature of providing the requested data.
Consequences of the failure to reply.
The entities or categories of entity to whom the data can be communicated, or who may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of the data.
Rights granted under Article 7 of the Code (see Question 13).
Some identification data concerning the data controller and, where appointed, the data controller's representative in Italian territory under Article 5 of the Code, as well as the data processor (see Question 2).
A data subject is entitled to obtain confirmation as to whether or not personal data concerning him exists, regardless of this already being recorded, and the communication of the data in an intelligible form (Article 7, Code).
A data subject also has the right to be informed of:
The source of the personal data.
The purposes and methods of the processing.
The logic applied to the processing, if the latter is carried out through electronic means.
Identification data of the data controller, data processors and any representative designated by the data controller established outside the EU making use of equipment, whether electronic or otherwise, situated in Italian territory.
The entities or categories of entity to whom personal data can be communicated and who can get to know this data in their capacity as a designated representative in Italian territory, data processor or person in charge of the processing.
A data subject has the right to obtain:
Updating, rectification or integration of data.
Erasure, anonymisation or blocking of data that have been unlawfully processed, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed.
Certification that the actions listed above have been carried out.
A data subject has the right to object, in whole or in part to:
The processing, on legitimate grounds, of his personal data, even though they are relevant to the purpose of the collection.
The processing of his personal data, when carried to send advertising materials, for direct selling or to perform market or commercial communication surveys.
Processing of personal data must be carried out so as to minimise, by means of suitable preventative security measures, the risk of destruction or loss, whether by accident or not, unauthorised access, or processing operations that are either unlawful or inconsistent with the purposes for which the data have been collected.
Preventative security measures are both technical and organisational. The Code also provides a set of minimum security measures (a list of which is featured in Annex B of the Code) which apply to processing, whether by electronic means or not, which can trigger the application of criminal and administrative sanctions if breached (see Question 25).
There is no general duty to notify data security breaches. However, there is an exception for data controllers who provide a publicly available electronic communications service. If there is a particular risk of a breach of network security, the provider must inform subscribers and, if possible the users, about the risk and, when the risk lies outside the scope of the measures to be taken by the provider, provide information on all the possible remedies including an indication of the likely costs involved (Article 32, Code). This information must also be provided to the DPA and the Authority for Communications Safeguards.
A third party processing the data on behalf of the data controller must be appointed either as a data processor or as a person in charge of the processing. Data Processors must be selected taking into account their experience, capabilities and reliability.
Both the data processors and persons in charge of processing must be provided with written and specific instructions.
Generally, data controllers must obtain the specific, prior informed consent of data subjects to store cookies. However, there is a prohibition on using an electronic communication network to gain access to information stored in the terminal equipment of a subscriber or user, to store information or monitor operations performed by a user (Article 122, Code). However, session cookies, expiring at the end of a browser session, are generally tolerated. A specific code of conduct aimed at detailing the conditions when an electronic communications service provider can use the network in this manner is due to be enacted, although there is no timeframe for this (Article 133, Code).
Generally, unsolicited electronic commercial communications are forbidden, unless the data controller has obtained the data subject's prior consent (opt-in).
However, for direct marketing purposes, a data controller can use a data subject's e-mail details without his consent, provided:
The details were supplied by the data subject in the context of the data controller's sale of a product or service.
The services being marketed are similar to those that have been the subject of the previous sale.
The data subject, being adequately informed, does not object to their use either initially or in connection with subsequent communications.
The data subject has been informed of the possibility to object to the processing at any time, free of charge.
Sending communications by disguising or concealing the identity of the sender, or without a valid address to which the data subject can send a request to exercise the rights granted by the Code, is prohibited.
The cross-border transfer of data outside Italy is regulated as follows:
Transfer across EU member states is in principle allowed.
A transfer outside the EU is allowed if any of the following conditions are satisfied:
the data subject has given his express consent, (for the transfer of sensitive data this must be in writing);
it is necessary to perform contractual and pre-contractual obligations or to safeguard a public interest or a third party's life or bodily integrity, or to defend a legal claim;
it is carried out in response to a request for access to administrative records or for information contained in publicly available registers;
it is necessary for scientific, statistical or historical purposes;
it is authorised by the DPA on the basis of adequate safeguards to the data subject's rights determined through contractual safeguards, or by rules of conduct applied within the same group of companies (binding corporate rules);
it is authorised by the DPA, according to an EU Commission decision:
being a transfer to a non-EU state which ensures an adequate level of protection; or
on the basis of standard contractual clauses ensuring adequate safeguards to protect the data subject's rights.
Non-EU states ensuring an adequate level of protection are Andorra, Argentina, Australia, Canada, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Israel and Switzerland.
The DPA has authorised the transfer of personal data from Italy to organisations established in the US, where it is performed on the basis of, and in compliance with, the Safe Harbor Privacy Principles, implemented in accordance with the guidance provided in the frequently asked questions and the additional documents annexed to Commission Decision 2000/520/EC of 26 July 2000.
The cross-border transfer of data outside the EU is also allowed if the data exporter and the data importer enter into standard agreements, based on the model clauses adopted through:
Commission Decision 2010/87/EU for the transfer of personal data to processors/sub-processors established in third countries under Council Directive 95/46/EC (which repealed Decision 2002/16/EC).
Commission Decision 2001/497/EC (as amended by Commission Decision 2004/915/EC) on standard contractual clauses for the transfer of personal data to third countries, which applies to transfers between data controllers.
The DPA has approved a set of standard clauses.
The drafting of the data transfer agreements in full compliance with the standard clauses is sufficient to validly transfer the data (see Question 21).
The transfer does not need the DPA's approval. However, for transfers from data controllers to data processors, the DPA may have further requirements (for example, to file the contract with the DPA or to notify the sequential appointment of more than one sub-processor).
The Code provides a set of enforcement powers to the DPA, the most relevant of which are to:
Receive reports and complaints as well as to take appropriate steps in regard to complaints lodged by the data subjects.
Carry out investigations aimed at verifying that the processing complies with the data protection regulations, by ordering the provision of information and the production of documents, or the inspection of databases, archives, premises, and so on.
Order data controllers or data processors, also ex officio, to adopt such measures as are necessary or appropriate for processing to comply with the data protection regulations.
Prohibit, also ex officio, unlawful or unfair data processing operations, in whole or in part, or to block such processing operations.
To impose administrative sanctions (see Question 25).
Failure to comply with the data protection regulations can trigger both criminal or administrative sanctions. For example:
Providing no or inadequate information to data subjects: fine of EUR6,000 to EUR36,000.
Assignment of data to another data controller for non-compatible purposes: fine of EUR10,000 to EUR60,000.
Incorrect communication of health data to data subjects by health care bodies: fine of EUR1,000 to EUR6,000.
Violation of opt-out in telemarketing activities: fine of EUR10,000 to EUR120,000.
Failure to abide by the general provisions of the DPA: fine of EUR30,000 to EUR180,000.
Violation of traffic data retention: fine of EUR10,000 to EUR50,000.
Failure to submit notification or submitting an incomplete notification: fine of EUR20,000 to EUR120,000.
Failure to provide information or produce documents to the DPA: fine of EUR10,000 to EUR60,000.
Unlawful data processing: imprisonment of between six months to three years or fine of EUR10,000 to EUR120,000.
Untrue declarations and notifications submitted to the DPA: imprisonment of between six months and three years.
Failure to provide minimum security measures: imprisonment of up to two years or a fine of EUR10,000 to EUR120,000.
Violation of the prohibition regarding processing of employees' opinions (such as political or religious) or violation of the prohibition regarding distant monitoring of employees: fine of EUR154 to EUR1,549 (increasable by up to five times) and/or imprisonment of between 15 days to one year. Publication of the relevant judgment can also apply.
Failure to comply with provisions issued by the DPA: imprisonment of between six months to two years.
(As at 1 March 2012, US$1 was about EUR0.74.)
Fines can be altered for various reasons, for example:
Increased by up to four times if they may prove ineffective on account of the offender's economic status.
Reduced to two-fifths in cases considered less serious due to the features of the activities at issue.
Doubled in more serious cases.
Where one or more of the provisions are violated repeatedly, even if committed on different occasions, in connection with especially important or large databases, a fine of EUR50,000 to EUR300,000 applies. The relevant DPA injunctive order or relevant judgment may also be published.
The unlawful processing of personal data can entail the duty of reimbursement of damage suffered by the data subject.
Main areas of responsibility. The DPA is mainly responsible for:
Supervising compliance with the provisions protecting private life.
Handling claims, reports and complaints lodged by citizens.
Banning or blocking processing operations that are liable to cause serious harm to individuals.
Checking into the processing operations performed by police and intelligence services.
Carrying out on-the-spot inspections.
Reporting to judicial authorities on serious infringements.
Raising public awareness of privacy legislation.
Fostering the adoption of codes of practice for various industry sectors.
Granting general authorisations to enable the processing of certain data categories.
Participating in EU Community and international activities.
Qualified. Italy, 1994
Areas of practice. IT; IP; data protection; corporate.