BDO Local Resources
Stefano Minini | Email | Phone
Luigi Sasso | Email | Phone
Law: GDPR, Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('the Code'), Legislative decree n. 196/03 integrating GDPR provisions
Regulator(s): Italian Data Protection Authority ('Garante')
Adequacy Agreement with GDPR: n/a
At the end of 2018, Italy amended the Personal Data Protection Code to adapt to the GDPR.
As far as the business environment in Italy is concerned: 2021 is mainly focused on fine-tuning privacy compliance frameworks at the corporate level and deploying them to sister companies abroad.
In September 2021, the Garante adopted body cameras by two law enforcement agencies (i.e., state police, national military police). Use limits were imposed, especially concerning facial recognition and the implementation of security measures. The State Police and National Military Police conducted Data Protection Impact Assessments (‘DPIAs’). They agreed to limit the recording time, disallow unique facial recognition identification, and limit activation to document situations of concrete and ‘real’ danger for the public or criminal offences.
Following other prominent Data Protection Authorities (e.g., France CNIL, Spain AEPD, Denmark Datatilsynet) and the European Data Protection Board (‘EDPB’) in July 2021, the Garante launched an informational page on cookies use to protect users’ personal data when browsing online. The Garante identified a six-month deadline for Italian companies to comply with the new guidance.
Data Protec1tion Authority Focus
The Garante focuses on technology, telecommunications, multi-utility, and sanitary industries in terms of control activities. Significant sanctions of more than €20 million have been applied mainly for undue telemarketing activities in the past months.
In September 2021, Garante fined the Region of Lombardy €200,000 for publishing personal data of more than 100,000 students on the institution’s website. The students requested state scholarships and economic subsidies to purchase of textbooks, technological equipment, and teaching tools. The Garante found that the data published lacked a legal basis and violated Article 6 of the GDPR and Article 5(1)(a) and (c) for publishing data revealing economic hardship.
In September 2021, the Garante fined the Municipality of Rome €800,000 for several privacy violations about to parking meters located in Rome. The municipality contracted a service to Atac Spa to manage the parking lots and implement technology to offer new services and introduce new payment methods. The Garante found that the municipality (the data controller) and Atac Spa (data processor) violated Articles 5(1)(a), 12, 13, and 28.
In September 2021, the Garante announced that it asked the Irish DPC to investigate Facebook regarding the recent announcement of smart glasses before marketing the glasses to the Italian market. The Garante requested inquiries include legal basis, data protection, anonymization, and voice assistant connected to the glasses. The Irish DPC and the Garante published a joint statement calling for Facebook Ireland to confirm their newly released product, Facebook View, properly informs individuals when recorded.
 GPDP, Garante per la Protezione Dei Dati Personali, Linee guida cookie e altri strumenti di tracciamento - 10 giugno 2021 , 10 July 2021
 GDPRhub, Garante per la protezione dei dati personali (Italy) - 9697724
 P365 Blog, BY THE ITALIAN DATA PROTECTION AUTHORITY: Roma Capitale, parking are not protected by drivers. The Italian DPA sanctions the Municipality and Atac, 09 October 2021
 IAPP.org, Irish and Italian DPAs on Facebook smart glasses privacy issues, 23 September 2021