Among the provisions contained in the 2018 Italian budget law there are new fulfillments to be carried out by the controller that could seem in contrast to the rationale of the EU privacy regulation.
The entry into force of the European privacy regulation (reg. EU 2016/679) is imminent and the 2018 Italian budget law (law no. 205/2017) has introduced some provisions aimed at adjusting the domestic law to the GDPR (i.e. General Data Protection Regulation).
Among the measures adopted by the legislator the introduction of a preventive notification procedure to the Data Protection Supervisor for processing based on the legitimate interest of the controller and carried out through the employment of new technologies or new automated tools stands out.
The current Italian regulatory system contained in the privacy code (Legislative Decree 675/96) provides the possibility of processing data without the data subject’s consent in the cases listed by the Data Protection Supervisor and based on the principles laid down by the law, provided that the processing is founded on the legitimate interest either of the controller or of a third party data recipient, and only on condition that it is not overridden by the data subject’s fundamental rights and freedoms, dignity or legitimate interest.
The European privacy regulation that will come into force on 25th May 2018 has maintained the possibility of processing data based on the controller’s legitimate interest. Such choice is coherent with the accountability principle that is the cornerstone of the GDPR, due to which the controller must abide by the provisions of law carrying out adequate assessments based on the risk.
In other words, if there is the controller’s legitimate interest, even though within certain limits, the European regulation allows the possibility of processing data, leaving to the same controller the choice and the responsibility of assessing whether, and to what extent, his interest may be considered legitimate and, at the same time, whether the processing does not harm the data subject’s fundamental rights and freedoms.
Seemingly countering the spirit of the EU Regulation, through the budget law the Italian legislator has intended to limit the controller’s decision-making power if the data processing is based on his legitimate interest, by requiring the sending of an information document concerning the subject matter, the purposes and the context of the processing to the Data Protection Supervisor.
Therefore, the above procedure will be added to the already long list of fulfillments that the controllers are compelled to carry out in view of the entry into force of the European Regulation. However, the cases in which the fulfillment is required are limited.
In fact, sending the information document to the Data Protection Supervisor is compulsory only for the controllers who process data based on legitimate interest and by using new technologies or automated tools. Not only that, if the Data Protection Supervisor has not replied within fifteen working days from the sending of the information document, the controller may proceed to the processing.
Therefore, the new fulfillment may have the effect of providing greater guarantees since, lacking a prompt reply by the Data Protection Supervisor, the controllers will be entitled to process the data based on their legitimate interest.
Besides, the measures introduced by the budget law come while a corrective and integrative intervention by the Government is awaited (as per delegation contained in Law no. 163 of 25th October 2017) for the purposes of the full adjustment of the domestic law to the GDPR and confirm the constant evolution of the Italian law with concern to privacy.
(Bologna Office – Valentina Saviotti and Marta Tonioni – 0039 (0)51 2750020)