Italian DPA Issues Guide for the Application of the GDPR

On April 28, 2017, the Garante (Italian data protection authority) released its first guide for the application of the GDPR (the “Guide”). As many know by now, the new European regulation governing the protection of natural persons with respect to the processing of personal data will become effective on May 25, 2018 and companies across the globe are getting ready to meet the numerous new obligations it contains.

The Guide aims to offer a few “tools” to help public entities and companies subject to the Regulation to prepare, as well as raise awareness on strengthened safeguards and new important rights that the regulation offers. It provides valuable practical recommendations for proper implementation of the provisions and is also meant to be a living document, which will be updated regularly, based on the interpretation and practical application of the Regulation.

The Guide is Divided Into 6 Thematic Sections

  1. Fundamentals of lawfulness of processing
  2. Disclosures (information to provide to data subjects)
  3. Data subject rights
  4. Joint controllers, representatives of controller, processing under the authority of controller/processor
  5. Risk-based approach and accountability of controller and processors
  6. International data transfers

1: Fundamentals of Lawfulness of Processing

1.1. Consent

What changes?

  • Consent must be explicit for the collection of “sensitive data.” It does not necessarily have to be in writing but the controller must be able to demonstrate explicit consent
  • Children can consent from the age of 16


  • For existing processing activities based on consent, make sure it is valid (informed, specific, freely given, and unambiguous) and comply with all GDPR requirements
  • The request for consent must be clearly distinguishable from other requests

1.2. Legitimate Interest

The guide points to Recital 47 of the Regulation and the Opinion of the Article 29 Working Party issued in April 2014 on the notion of legitimate interests of the data controller. It also confirms the existing requirements set by the Garante with respect to certain types of processing of biometric data, and the use of video surveillance.

2: Disclosures (Information to be Provided to Data Subjects)

The Guide recommends that all controllers verify their compliance with Article 13 of the GDPR, which lists all the information to be provided to data subjects when collecting personal data from them. The Regulation supports the concept of “stratified” information which has been developed by the Garante (use of specific icon or electronic means to ensure the widest possible dissemination and simplify the delivery of the information).

3: Data Subject Rights (Access, Erasure, Object, Portability)

3.1 Procedure

What changes?

  • Controllers have one month after receipt to respond to a request from a data subject (can be extended by two further months, considering the complexity of the request and number of requests the controller gets)
  • The response should be in writing


  • Controllers are to take appropriate measures to facilitate the exercise and response to data subject requests
  • The Garante may issue guidelines about the charging of a “reasonable fee” for manifestly unfounded or excessive requests

3.2. Right of Access

Gives the right to receive a copy of the data.

3.3. Right to Data Portability

The Guide points to the Article 29 Working Party guidelines on data portability published in December 2016 and revised on 5 April 2017.

4: Joint Controllers, Representatives of Controller, Processing Under the Authority of Controller/Processor

The Guide recommends that controllers carefully consider the existence of any co-ownership situations. Controllers should also ensure that current contracts or other legal instruments with processors, joint controllers comply with the requirements of the GDPR. The recommendation adds that adherence to codes of conduct or certifications will suffice for controllers to demonstrate “sufficient safeguards” addressed in Article 28.

5: Risk-based Approach and Accountability of Controller and Processors

Register of Processing Activities

Controllers have to maintain a record of their processing activities. The content of the register is set out in Article 30 but controllers are free to include additional information if they deem it appropriate to assess the risks of a particular processing activity. The Garante is considering providing a “log model” on its website.

Security Measures

Security measures must reflect the level of risks resulting from the processing operation. Adherence to codes of conduct and certifications may be used to certify the adequacy of the security measures implemented by the organization.

Notification of Personal Data Breaches

The Article 29 Working Party is working on guidelines to provide additional details about the notification of supervisory authorities when a personal data breach occurs. The Garante has provided a model for the notification of breaches by service providers processing electronic communications, which it will revise to make it usable in all instances.

Data Protection Officer

The Guide points to the Article 29 Working Party guidelines on data protection officers published in December 2016 and revised on 5 April 2017.

6: International Data Transfers

The Guide provides an overview of what changes and does not change regarding transfer of personal data to third countries and to international organizations. It sets forth the different basis for such transfers (Articles 44 to 50): an adequacy decision, transfer is based on codes of conduct or certification demonstrating appropriate safeguards, BCRs, standard contractual clauses, legally binding instrument (such as Privacy Shield) and the derogations for specific situations. What does not change is the approach to cross-border data transfers that exists under the current Directive 95/46/EC, which is that transfer of personal data outside the EEA is prohibited, unless specific guarantees are in place.

Read the complete guide here.

OneTrust is exhibiting at Congresso Annuale Asso DPO in Milan, Italy this week from 8 May to 9 May.