Privacy & Policy

Privacy: NEW GDPR

In a nutshell with the GDPR:

  • Clearer rules on information and consent are introduced;
  • The limits to the automated processing of personal data are defined;
  • Laid the foundations for the exercise of new rights;
  • Strict criteria established for their transfer outside the EU;
  • Set strict rules for data breach cases .

The rules are also limited to companies located outside the European Union that offer services or products within the EU market. All companies, wherever established, must therefore comply with the new rules. Companies and institutions will have more responsibility and in case of non-compliance with the rules they risk heavy penalties.

Data portability

The Regulation introduces the right to the "portability" of one's personal data to transfer them from one data controller to another. The rule makes an exception in cases involving data contained in archives of public interest, such as registry offices. In this case, the right cannot be exercised, just as the transfer of personal data to non-EU countries or international organizations that do not meet the safety standards in terms of protection is prohibited.

The principle of accountability

There are other important new elements. In fact, the responsibility of data controllers (accountability) has been introduced and an approach that takes greater account of the risks that a certain processing of personal data may entail for the rights and freedoms of data subjects. This new right will facilitate switching from one service provider to another, facilitating the creation of new services, in line with the Digital Single Market strategy.

Data breach

The data controller will have to communicate any violations of personal data to the Guarantor. Responding effectively to a data breach requires a multidisciplinary and integrated approach and greater cooperation at the EU level. The current approach has several flaws that need to be corrected. It is not simple but it must be done in order not to miss the opportunity provided by the GDPR. The first requirement to be implemented for Italian companies is undoubtedly the adoption of the Register of personal data processing, but even before bureaucratic hassles, the company must understand the importance and value of data, as well as the significant economic damages related to a loss of information If the data breach poses a threat to the rights and freedoms of individuals:

  • The owner must also inform all interested parties in a clear, simple and immediate way and offer indications on how he intends to limit the damage;
  • He may decide not to inform the interested parties if he believes that the violation does not involve a high risk for their rights or if he demonstrates that he has already adopted security measures; or, finally, in the event that informing data subjects could involve an effort disproportionate to the risk. In the latter case, a public communication must be provided;
  • The Guarantor Authority may in any case require the data controller to inform the interested parties on the basis of its own assessment of the risks related to the violation committed.

The "Data Protection Officer"

It is no coincidence that the figure of the "Data Protection Officer" (Data Protection Officer or DPO) has been envisaged, in charge of ensuring the correct management of personal data in companies and entities and identified on the basis of professional qualities and specialist knowledge of the data protection law and practice.

The Data Protection Officer:

  1. Reports directly to top management

  2. is independent, does not receive instructions regarding the execution of tasks;

  3. They are assigned adequate human and financial resources for the mission.

    In reality there are still too many doubts about what the DPO is. He is an important figure, but he is certainly not the "center" of the system set up by the GDPR, which in the new system is always the Data Controller. The DPO must have specific competence "in the legislation and practices relating to personal data as well as in the administrative rules and procedures that characterize the sector". It is no less important, however, that he also possesses "professional qualities adequate to the complexity of the task to be performed" and, above all with reference to delicate sectors such as the health sector, can demonstrate that he possesses specific skills also with respect to the types of treatment implemented by the holder. The decision-making autonomy and the non-involvement of the DPO in determining the purposes and methods of data processing are equally important if we want to give back to the interested parties that sovereignty over the circulation of their data.

The twelve new rights for the citizen with the Gdpr

Citizens need to learn more about the rights and tools that the GDPR gives them to protect personal data. This article is a guide on the new GDPR rights for EU citizens and in general on the impact of the new rules on them.

The powers of the supervisory authority (Garante privacy)

The supervisory authority, our Privacy Guarantor, is granted investigative, corrective, authorization and advisory powers, as well as the power to impose administrative fines.

Privacy and Transparency with the GDPR

Among the many innovations, the GDPR will be able to open a new page on the subject of the relationship between privacy and transparency, also with reference to the activity of private subjects who perform functions of public interest. In this context, it is important to underline that the new regulation does not directly modify the national rules on access to administrative documents, nor those currently applied to the innumerable European institutions. Instead, it is concerned with clarifying the absence of a contradictory relationship, since the values of "transparency" and "effective protection of confidentiality" are both considered worthy of effective protection.

GDPR and right to be forgotten

The real novelty that comes with the GDPR on the right to be forgotten is in article 17: the request for cancellation addressed to a holder who has made data public also entails the obligation to transmit it to all those who use them

Related Articles

Cookies Policy

casaleonida logo down

Via Miss Mabel Hill ,9
Taormina 98039 (Messina)
Cellulare+39 328 302 4375