GDPR: The Italian Data Protection Authority Issues its First Guidelines


By a press release dated April 28th, 2017, the Italian Data Protection Authority (“DPA”) issued its first guidelines (“Guidelines”) on the General Data Protection Regulation (“GDPR”), which constitutes an important and helpful instrument for those interested in making sure their data processing is compliant with the new EU Regulation ahead of its implementation date (May 25th, 2018).

The Guidelines, that are promised to be amended and/or integrated by the Italian DPA in light of future European and Italian developments as to the interpretation of the GDPR provisions, offer a general overview of the major issues that every company and/or public body should consider in view of May 25th, 2018.

The Guidelines are divided into six different sections (Lawfulness of data processing; Information to be provided on where personal data are collected; Data subjects’ rights; Data Controller, data processor and persons authorized to process personal data under the direct authority of the controller or processor; Data processing risk approach and accountability measures; International data transfers). On one hand, they explain some clarifications with regard to the main data processing aspects introduced by the new European law; on the other hand, they provide for important practical recommendations which are useful to implement the GDPR provisions.

In particular, through its Guidelines the DPA highlights the differences between the GDPR discipline and Italian Law No. 196/2003 ( “Privacy Code”) - i.e. the law that the Italian legislator has adopted in order to comply with Directive No. 95/46/EC – and encompasses for instance the following topics: the new contents of the information notice to be provided to the data subjects (the data protection officer’s contacts, the retention period, the legitimate interest of the data controller - if the data processing is based on it - and the right to claim or defend privacy rights in front of a supervisory authority); the data portability right, the right to be forgotten and the right to restriction of processing; the joint controller institution and the possibility for a data processor to appoint a sub-processor directly.

Moreover, the DPA focuses its attention on the new “accountability approach” on which the GDPR is based, by means of reminding the introduction of the principles named “privacy by design” and “privacy by default”, as well as the new data protection impact assessment (“DPIA”) and also by recommending to every data controller or processor to adopt a proactive approach to their data processing with the aim of taking preventive security measures. To such extent, the DPA also refers to the abolition of some rules provided by the Privacy Code (such as the prior notification and its prior checking).

It should be noted that in Italy no legislative process has yet been launched for making the Privacy Code compliant with the GDPR. The Privacy Code, therefore, as well as any DPA’s statements issued since 1996, shall remain in force until its provisions will not infringe the GDPR’s ones or until they will be declared not compliant with the GDPR.

Related links:


Article provided by Avv. Chiara Rossana Agostini / R&P Legal Law Firm / Italy


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.