This is what changes for you with the new General Data Protection Regulation – GDPR and the update of the Italian Legislative Decree n. 196/2003 – Privacy Code
Since the 25th of May 2018 has been implemented the General Data Protection Regulation n. 679/2016, also known as GDPR, and since the 10th of August 2018 the update of the Italian Legislative Decree n. 196/2003 which has transposed what is expected by the Regulation, aimed at the natural person protection with regard to the processing and to the free movement of personal data in European Member States.
The GDPR introduces clear policy and consent arrangements, it establishes the limits of an automated processing of personal data, it sets up new rights in order to protect the data subject freedoms, it fixes strict criteria for data transfers out of European Union and for cases of personal data breaches. It also touches complex and at the same time fundamental topics for citizens. In order to help you understand the innovation introduced and the new Privacy Policies, we propose you some highlights.
First thing first!
- First of all, why a new policy?
With the introduction of the GDPR, the policy becomes an increasingly transparent instrument about personal data processing and the exercise of rights. Please read it carefully!
- What is a personal data?
Personal data is all the information which identifies or makes identifiable a natural person and that can provide details on your characteristics, habits, lifestyle, personal relationship, health status and even your economic situation.
- What do we mean for personal data processing?
The term “processing” refers to any operation or a set of operations having as their object personal data.
The definition is very wide, because includes also the recollection, the registration, the organization, the storage, the change, the selection, the extraction, the use, the block, the communication, the spread, the deletion and the disruption of data. Each of these operations is a form of personal data processing.
- Why do we talk about consent and what has changed?
The consent, understood as expression of will, is one of the legal basis for the lawfulness of processing provided by the current rules.
The consent must be previous and explicit, but also free, specific and informed, even when is expressed electronically. It is not required that it is given in a written form, but it is necessary to be manifested by positive action. Even a simple tick on an online form is enough, as long as it is clear what it refers to.
We remind you that the consent can be revoked at any time: in this case the processing operations for which consent is revoked will no longer be carried out. But be careful: data may, however, be processed for different purposes for which consent is not required. Let's take an example: do you no longer want to receive advertising? You can revoke your consent, but your data may still be processed to manage any contractual relations you may have with us.
- So, may processing occur only in the light of a consent?
No, they may not. They can be other legal basis for the lawfulness of processing provided by the current rules, like:
- the existence of a legal obligation: in this case we must process your data in order to fulfil legal requirements, as in the case of investigations in order to prevent money laundering and terrorist financing;
- the need to perform a contract or pre-contractual measures to which it is party, like when you subscribe a product or you make us a request;
- in order to fulfil our legitimate interest like when we process your data in order to implement and develop our product and in order to improve the risk assessment.
Inside the policies and the contract, we will provide you during our relationship, you will always find precise accurate information on the legal base of your personal data process.
- Automated processing, what are they and what do you need to know?
With the new legislation, decisions that produce relevant legal effects shall not be exclusively based on your automated personal data processing. An example of an automated data processing is the profiling, the conjunction of the recollection and processing activities about users of a service, with the aim of dividing them into groups according to their behavior.
Current rules require three exceptions as regard the prohibition of an automated data processing:
- when the data subject is interested, we mean you, you have given a specific and explicit consent;
- when is strictly necessary for a contract subscription;
- when is required by legal provision.
- Do you know all the rights you shall exercise?
Among the new rights there are the right to be forgotten and the right to data portability.
The right to be forgotten provides, if the conditions required by the Regulation are met, the possibility to ask and obtain the deletion of your personal data included into our systems.
The right to data portability on the other hand, provides the possibility to transfer your data from a Data Controller to another one.
In addition, you have the right to receive a copy of your personal data processed (access right) and/or right to restriction of processing, not only in case of breaching of lawfulness conditions, but also in case of data rectification or if you will object to the processing.
In the case in which you decide to exercise your rights, we will answer you within one month, or within three months in case of particular complexity.
- Who is the new DPO figure?
The DPO (Data Protection Officer) is a very important figure because he is like an “ally” for you in your personal data protection.
This last one, with full autonomy and independence, offers legal and technical advisory to the Data Controller and implements control activities on Data Processors and organized processes.
For further information you can consult our dedicated section on