On 25th May 2018, EU Regulation no. 2016/679 , known as GDPR (General Data Protection Regulation) has come into effect across the European Economic Area – by means of which the European Commission intended to reinforce the protection of personal data of EU citizens and residents, both within and outside the EU’s borders.
The GDPR therefore pursuits the objective of simplifying the regulatory frame by unifying and standardizing the Privacy rules within the EU. Since its entry into force, the Regulation will replace the contents of the Data Protection Directive (Directive 95/46 / EC) and in Italy it will repeal inconsistent provisions of the former Code for the protection of personal data (Legislative Decree No. 196/2003).
The Regulation concerns the processing of personal data, which means any information relating to an individual referring to personal life or public informations (photos, e-mail, names, bank details, blogs on social network websites, IP addresses of computers as well as medical, biometric or genetic information)
In a nutshell, the GDPR introduces clearer rules on information and consent, limits any automated processing of personal data, enforces new 12 rights (including “the right to be forgotten” and data portability), establishes strict criteria for cross-border processing and sets strict rules for personal data breach cases.
In particular, the security of the collected data is guaranteed by the data controller and the processor, who are called to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. To this end, the data controller and the processor shall ensure that whoever accesses the collected data will be in compliance with the instructions conferred by them and after having been specifically trained, unless required to do so by Union or Member State law. To guarantee the data subject, the Regulation also regulates the case of transfer of personal data to a third country or an international organization and provides for that the data subject is promptly informed in the presence of a breach that jeopardizes his rights.
The principle of accountability linked to the processing of personal data remains grounded, as in the Code for the protection of personal data, to a concept of responsibility for the exercise of dangerous activity with an ex ante assessment in concrete and a substantial shifting of the burden of proof.
The data controller is called to notice the personal data breach to competent supervisory authority within 72 after become aware of it. In some cases, data subject shall be duly informed without undue delay about the personal data breach.
The penalties may consist in warning in cases of first unintentional non-compliance or rather in administrative fines for amounts between EUR 10 and 20 million, or between 2% and 4% of the total worldwide annual turnover of the preceding financial year in case of large undertakings, groups of undertakings and / or international firms.
The Regulation also applies to companies and institutions, legal persons, partnerships and associations, in general, with registered offices outside the EU that process personal data of EU residents. This also irrespective of where storage and processing server systems are located.
A further innovation is the designation of the figure of the “Data Protection Officer” (DPO), responsible for ensuring the correct processing of personal data carried out by undertakings and other legal entities and retained on the basis of his professional qualities and expert knowledge in data protection law and practices. It is systematically designated by the data controller and the processor in the following three cases: when the processing is carried out by a public authority or a body (except for Courts acting in their judicial capacity); when the core activities of the data controller and the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; when the processing involves, on a large scale, special categories of data (former sensitive data) or relates to criminal convictions and offenses.
In all other cases, the data controller and the processor, as well as their associations or other bodies representing them, may designate the data protection officer who can act on behalf of for such associations and bodies.
Another important change concerns the right to erasure, the so-called right to be forgotten: in certain cases, the data subject has the right to obtain the erasure of his personal data and the data controller is obliged to provide without undue delay. This right was firstly affirmed in the jurisdiction of the ECJ following the “Google Spain” case, in particular the right to de-indexing of personal data from web search engines. Under the GDPR, we have gone beyond simple de-indexing. A real erasure of the personal data from the data controller’s archives is required. Moreover, the request for erasure addressed to a data controller who has made public personal data also implies his obligation to transmit this request to other data controllers who are processing such data.
Obviously, even law firms will have to comply with the GDPR and, in this regard, the Privacy Commission of the Italian National Forensic Council (CNF) at the Ministry of Justice has just released the “Guidelines for Lawyers on the protection of personal data”.
The personal data to which the lawyer has access, in the exercise of his functions, are by their nature particular and subject to greater protection: “they may in fact concern health, religious beliefs or political opinion, judicial data, family situation, data of minors and much more, and their process observes a specific logic, different from that of the commercial enterprise, being intimately connected to the relationship of trust that binds the lawyer to his client and to the respect of the deontological obligations, first of all obligation to guarantee professional secrecy “.
The guidelines issued by CNF do not claim to be exhaustive, “also considering both the fact that the Regulation, with the introduction of the accountability principle, requires that each lawyer conforms the measures to be adopted to his own organization, as well as , at the time of drafting, the legislative decree for the adaptation and harmonization of the order to the GDPR has to be still approved (decree which, although not affecting the direct applicability of the rules of the Regulation, should introduce specific rules on the issue of processing of certain particular categories of data, as well as judicial data, and providing for specific transitional rules). Therefore, CFN guidelines will be subject to amendments and further expansions ».