Support of the Garante dalla Privacy in the development of a Code of Conduct applying to data processing for the purposes of commercial information
The Garante (Italian DPA) has encouraged the Code of conduct and professional practice applying to data processing for the purposes of commercial information (the “Code”) that will be entered into force on 1st October 2016 pursuant to Sections 12 and 117 of the legislative decree no. 196/2003 of June 30, 2003 (Italian Personal Data Protection Law).
The Code, which is applicable to all organisations that collect commercial information aims to underline the obligation to provide information prior to process data in order to grant to the data subject free access to their own data. In addition, it also provides that an operator can only process personal data if they are relevant and not excessive in relation to the purposes for which it was collected and must update and record the data source.
Finally, the Code is flexible enough as states that other self-regulatory instruments in some areas may regulate the processing of personal data as long as they are approved by the DPA.
The Garante asks Facebook to block a “fake” account and to hand over all data to victim
On February 11 2016, Italy’s DPA has stated that Facebook will have to communicate to a user not only the data concerning himself but also the data entered and shared by someone else through a created (fake) account. Facebook should also block the fake account for possible intervention by the judiciary and provide information about the use of the personal data.
Background of the case:
An Italian Facebook user referred to Italy’s DPA as he alleged being victim of attempted extortion and defamation by a fellow Facebook user. After the second user became Facebook friends of the complainant and after having some confidential correspondence, the other user allegedly made requests for money. As the complainant did not agree to these demands, the second user allegedly created a new Facebook “fake” account using the complainant’s information (for instance, his profile picture) and sent to all the complainant Facebook contacts a manipulated photomontage of videos and pictures severely damaging the honor and dignity as well as his public and private image. The complainant signified his case to Facebook and deemed its response unsatisfactory. Hence, the complainant solicited to the Italy’s DPA the blocking of the “fake” account and the cancellation of its data.
Simplification scheme for the Data Protection Officer
On March 2016, the Italian data protection authority issued a Fact Sheet on data protection officers (DPOs) in light of the upcoming General Data Protection Regulation (GDPR). It highlights a wide range of requirements assigned to them such as; their duties, eligibility prerequisites, responsibilities, etc.
The Fact Sheet addresses to all bodies which process data. Furthermore, it encompasses every activity that requires regular and systematic monitoring of data subjects on a large scale according to Article 35 GDPR.
For that reason, the Fact Sheet underlines that the DPO shall have an appropriate knowledge of the legal data protection framework working diligently and without any conflicts of interest. In the words of Matteo Colombo, President of the Italian Association of Data Protection Officer (ASSO DPO), “(…) the DPO should receive multidisciplinary training and education in compliance, human resources and trade union law, be computer literate and, last but not least, have a good knowledge of the English language.”
According to the President of the Italian Association of DPO, the implementation of the DPO may improve the effective protection of personal data and privacy in Italy.
Privacy at workplace after the ECHR ruling
“Workers should be informed. The employer can not snoop on email” has stated Antonello Soro, the President of the Italian Authority for the Protection of Personal Data.
The Garante for the Privacy has recently commented on the judgment of 12 December 2015 of the European Court of Human Rights and has declared that this ruling doesn’t mark the end of privacy at the workplace. The ECHR has ruled that it is admissible for an employer to monitor their employee’s private online communications.
The ruling decided an appeal by a Romanian engineer who was fired for breach of contract because he used the company’s email for personal purposes during working hours. The citizen claimed that his right to privacy had been infringed after his employers went through his emails without asking for permission. But the Court ruled in the favour of the employer saying that it was not “unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours.” This is because: a) the company informed employees of the conditions of use of corporate email, which did not allow to use it for personal purposes. This reason would have reduced the expectation of privacy response from workers on their e-mail communications; b) monitoring of the email was limited in time and nature, and strictly proportionate in order to prove the contractual breach of the employee, whose lack of productivity was determined and legitimized the dismissal; c) access to the worker’s e-mail by the employer was legitimate because it was founded on the premise of the professional nature of the contents of communications; d) the identity of the worker’s interlocutors has not been revealed to the courts; e) the company had not had access to other files on the computer of the employee; the content of the communications has not been audited in the trial but only the personal character of the email during the working hours, resulting in reduced employee productivity; f) the employee has failed to justify the use of corporate email for personal purposes.
The Court has thus reaffirmed, in this case, that the controls of the employer on the working activity may be allowed only to the extent that they are strictly proportionate and not excessive for the purpose of verifying whether the working obligations have been fulfilled. The controls have also to be limited in time and nature; targeted (I.e. not massive) and based on assumptions (such as in particular the inefficiency of the employee’s work) such as to legitimize the execution. Finally, it must have already been provided by the company policy, of which the employee must be properly informed.
Decision on Data Transfers to the USA: the “Safe Harbor” Authorisation is Invalid
On 22 October 2015, the Italian Data Protection Authority (GDPD) issued a provision following the recent judgment of the Court of Justice of the European Union in the case Schrems v. Facebook, which declared invalid the system set up under the Safe Harbour.
As a direct consequence, the GDPD has explicitly forbidden any data transfer between both countries. Thus, it might carry out inspections on the transfer at any time and, if necessary, to adopt effective measures provided under the Italian Data Protection Code. Besides, the implementation of other alternatives is encouraged in order to ensure compliance with the Italian regulations on the protection of personal data.
Finally, GDPD suggested some instruments to lawfully transfer the data of Italian citizens, i.e. Standard Contractual Clauses (SCC), Binding Corporate Rules (BCC) or the consent of data subjects.
Sweep Day 2015: Children’s privacy
On 7 September 2015, the Garante per la protezione dei dati personali reported the results of a privacy sweep to examine the data privacy practices of websites and apps aimed at or popular among children. The investigation highlighted severe problems and risks for the privacy of children in the practices of the websites and apps considered.
The survey carried out by the Italian DPA was developed in collaboration with other 28 European Data Protection Authorities under the auspices of the Global Privacy Enforcement Network (GPEN) on the occasion of “Privacy Sweep 2015” dedicated to the protection of children aged between 8 and 13 years.
The aim of the research was to determine an overall overview on the privacy practices that these apps and websites targeted or frequently consulted by children and the results of the global survey, with about 1500 sites and apps analysed, show a little protective scenario against the children’s privacy. Many of these websites and apps are collecting personal information without offering kids and their parents protective controls to limit the use and disclosure of such personal information or a simple means of deleting an account permanently.