The European Regulation n. 679/2016 on the protection of personal data, known as GDPR (General Data Protection Regulation), entered into force on 24 May 2016 and became applicable from 25 May 2018 (deadline for adaptation), effectively repealing Directive 95/46 /THERE IS. The new regulatory framework provides for greater protection in the processing of personal data, more complex requirements and heavier penalties. The processing of personal data is placed at the center of company organizations and new professional figures are foreseen in this area.

The General Data Protection Regulation imposes on all companies and professionals operating in the EU member countries a series of innovations of absolute importance regarding the processing of personal data. Where data processing is understood to mean any information concerning an identified or identifiable natural person (therefore, for example, they are personal data: the e-mail address provided, the personal data provided, the mobile number provided …)
The GDPR introduces changes compared to the previous legislation, such as:


The person who determines the purposes and means of the processing of personal data is defined as “data controller” and can be either a natural or legal person, or a public authority, or yet another service body. Its task is to put in place all the appropriate technical and organizational measures to ensure that this treatment is carried out in accordance with the Regulation. The owner must demonstrate the concrete adoption of technical and organizational measures aimed at ensuring that this treatment is consistent with the standard. To this end, the owner must respect the following principles:
• Privacy by design principle: the processing of data must provide from the outset the essential guarantees to protect the rights and freedoms of those directly involved;
• Privacy by default principle: that is, the need to implement adequate technical and organizational measures to ensure that only the personal data necessary for the specific purpose of the processing are processed in this context.


The Regulation pays particular attention to the principle of lawfulness, fairness and transparency. The foundations of lawfulness of the treatment are:
• The explicit consent of the interested party;
• The fulfillment of contractual obligations;
• The fulfillment of legal obligations to which the owner is required;
• The safeguarding of vital interests for a natural person;
• The public interest or exercise of public powers;
• The pursuit of a legitimate interest of the owner or third parties to whom the data are communicated. Tacit or presumed consent is no longer allowed. The data controller must always be able to demonstrate that the interested party has given consent to the processing of data.


The information must be provided to the interested party before collecting the data. The owner must provide the interested party with a long series of information, listed exhaustively in articles 13 and 14 of the Regulation. The information that the data controller must provide to the interested party must always be made in a concise, transparent, intelligible and easily accessible form, in simple and clear language.


The GDPR regulates the processing of data on five fundamental rights:
• Right of access: it is configured as the right of the interested party to request and obtain from the data controller information on the processing of his personal data;
• Right to be forgotten: or the right of the interested party to have his or her personal data deleted;
• Right of rectification: the right of the interested party to request that the data concerning him be modified, corrected or updated;
• Right of limitation consists in the right recognized to the interested party to request the owner that the processing of his data is limited to conservation only;
• Right to data portability: the interested party has the right to receive from the owner a copy of the personal data being processed in a structured format, commonly used and readable by an automatic device.

Where the person concerned is the natural person to whom the personal data refers (example: physical customer person, customer company or employee). In particular, it is emphasized that the data controller is required to facilitate the exercise of the data subject’s rights. If the interested party requests the holder, the response period is for all rights of 1 month, extendable 3 months in cases of particular complexity.


“Impact assessment” means the analysis of the origin, nature and severity of the risk for the protection of the right to data protection. Only upon the outcome of this evaluation will the owner be able to decide whether to proceed with the processing of data according to the measures he has prepared. If he deems it necessary, he can consult the supervisory authorities for information on residual risk management.


The Regulation introduces the figure of the “Data Protection Officer” (DPO) or the “data protection officer” (DPO) to whom important tasks are assigned for the purposes of data protection and, first of all, that to monitor compliance with the Regulation. The Data Protection Officer must have specialized knowledge of data protection legislation and practices and must have the necessary skills to perform the tasks with which he is invested. The appointment of the DPO is mandatory:
• When the treatment is carried out by a public authority or by a public body (with the exception of the judicial authorities in the exercise of these functions);
• Where treatments, by their nature, scope and / or purpose, require regular and systematic monitoring of data subjects on a large scale;
• When the main activities of the data controller or data controller consist in the treatment, on a large scale, of particular categories of personal data (sensitive data) or data relating to criminal convictions.


The data controller can designate a data processor, who will protect personal data on his behalf. The latter must provide sufficient guarantees to implement adequate technical and organizational measures, in order to guarantee the protection of the rights of the interested party. The assignment of the treatment to the manager must take place with a contract stipulated in written information and that strictly governs the matters indicated in the Regulation.


In the event of a personal data breach, the data controller must notify the supervisory authority of the violation within 72 hours from the time it becomes aware of it, unless it is unlikely that the violation of personal data present a risk to the rights and freedoms of individuals.


The owner must keep a register of processing operations. Although the GDPR excludes from this obligation subjects with less than 250 employees (only if they do not carry out risk treatments or limit the rights and freedom of the interested party), the Privacy Guarantor strongly recommends its keeping by all subjects who they process personal data as it is a fundamental tool for having an updated list of all the treatments carried out.

In relation to the need to comply with the new European Regulation, the following operating mode is envisaged:
• PRIVACY ASSESTMENT new mapping of treatments and roles in order to plan the implementation of a structured Privacy Governance System capable of increasing the level of data protection and awareness of the treatments, with particular attention:
▫ Identification of databases;
▫ Vulnerability and criticality of the treatments operated;
▫ Internet procedures and policies;
▫ Management and discipline of treatments;
▫ Management and discipline of employees;
▫ System documentation;
▫ Analysis of the information system and of the security measures implemented according to legal provisions aimed at defining a gap analysis aimed at highlighting the deviations from the implementation in compliance with the new Regulation mentioned above.
• Evaluation and application definition of the “Privacy by Default and Privacy By Design” principle on which the new Regulation is based;
• Risk assessment for the treatments carried out;
• Identification, planning and application of the minimum physical and logical security measures for data protection;
• Drafting of system documentation (treatment register, internal processing assignments, assignments and appointments responsible for external treatment, technical, informative assignments, etc.);
• Definition and implementation of activities related to the “Data Breach” (violation of the data) including the definition of the alert system;
• Training of data processors;
• Appointment of the DPO (if necessary).
The Regulation only provides for administrative fines. The penalties provided must be effective, proportionate and dissuasive in each individual case. Two types of penalties have been distinguished in relation to the type of violation:
• Administrative fines of up to 10,000,000 euros, or for businesses, up to 2% of the total annual global turnover of the previous year, if higher (eg if adequate data security measures are not implemented) ;
• Administrative fines of up to 20,000,000 euros, or for businesses, up to 4% of the total annual global turnover of the previous year, if higher (eg in the event of violation of the basic principles of the treatment, including the conditions related to consent).
Individual national laws may provide for criminal penalties.

Last modified: June 15, 2018