The Italian Decree no. 101/2018, implementing Regulation no. 679/2016 (GDPR)

Lawyer Vincenzo Colarocco

On September 4th, the legislative decree n. 101 of 10 August 2018, concerning the provisions for the adaptation of the national legislation to the Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and rules to the free movement of such data, better known as “GDPR”. The Regulation is already obligatory from 25 May, but the national legislation, and precisely our Privacy Code, needed an appropriate adjustment. The result is a “slimmer” Code, but also more coherent with the European law.

The legislative technique adopted by the Italian legislator was to avoid duplicating provisions, which are present both in the Regulation and in the Code. The decree will be applicable on September 19: this decision has been taken to guarantee the continuity of the legislation, saving for a transitional period the provisions of the Authority and the authorizations, which will be reviews in future, as well as the deontological codes in force. Among the most relevant innovations are:

a) forecasts that, for the first eight months after entry into force, the Guarantors for the protection of personal data take into account the fact that they are still at an early stage in implementing the legislation, to provide the penalties;

b) the consent of Italian minors from the age of 14 for the processing of personal data in the use of information society services (in France, the draft provides for 15 years);

c) the repeal of the crime referred to in art. 169 of the Privacy Code, since the minimum security measures are no longer foreseen, together with other penal sanctions which, in the face of new administrative sanctions, would have violated the principle of “ne bis in idem“, in the face of the inclusion of new types of offense;

d) the prediction that in cases of receipt of the curricula spontaneously transmitted by the candidates, for the purpose of establishing a working relationship, the information must be provided at the time of the first useful contact, following the sending of the curriculum. Furthermore, consent to the processing of personal data in the curricula is not due;

e) the management of rights concerning the deceased persons who may be exercised by those who have an interest of their own, or who are acting to protect the data subject, as their agent, or for family reasons deserving of protection.