Privacy data protection. New rules from May 25th. Possible sudden inspections

Data protection: Protocol updating Convention 108 approved

Data protection: approved on Protocol which updates the Convention 108

Dopo un lungo iter iniziato nel 2011 è stato portato a termine dal Comitato dei ministri del Consiglio d’Europa, il processo di modernizzazione della Convention 108 of 1981 on the protection of individuals with respect to automated processing of personal data.

L’adozione formale è avvenuta in occasione della Ministeriale di Elsinore il 18 maggio scorso.Il Protocollo emendativo, che aggiorna la Convenzione 108, sarà aperto alla firma il 25 giugno, in occasione della sessione dell’Assemblea Parlamentare del Consiglio d’Europa.

La modernizzazione della Convenzione 108, che è tuttora l’unico strumento sulla protezione dei dati vincolante a livello internazionale, risponde alle molte sfide intervenute negli anni per l’avvento delle nuove tecnologie, assicurando la tenuta dei principi della Convenzione e rafforzandone i meccanismi per la sua effettiva implementazione.

The Protocol garantisce standard elevati in una cornice normativa flessibile che facilita la loro adozione da parte di un ampio numero di Paesi, inclusi quelli che non fanno parte del Consiglio d’Europa. Costituisce, inoltre, un ponte tra i diversi approcci regionali, incluso il Regulation (EU) 2016/679  (pienamente applicabile dal prossimo 25 maggio) che colloca l’adesione da parte di Paesi terzi alla Convenzione 108 tra i criteri da considerare nella valutazione di adeguatezza di tali Paesi nel contesto dei trasferimenti dei dati.

Il Protocollo contiene diverse novità rispetto all’originario. In particolare:  il rafforzamento degli obblighi di trasparenza a carico dei titolari del trattamento; l’ampliamento  dei diritti degli interessati, che ora racchiudono anche il diritto a non essere soggetto a decisioni puramente automatizzate e a conoscere la logica del trattamento; maggiori garanzie per la sicurezza dei dati, incluso l’obbligo di notificare i data breach, e di assicurare un approccio di privacy by design. Il Protocollo rafforza inoltre i compiti delle Autorità di protezione dati e del Comitato della Convenzione, chiamato a svolgere un ruolo nella valutazione dell’effettivo rispetto dei principi della Convenzione che deve essere assicurato dai Paesi che ne faranno parte.

Roma, 21 maggio 2018 – Garante Privacy


Gdpr [General Data Protection Regulation], inspections at the door: here's what to do

The checks by the Guardia di Finanza or the Guarantor for the processing of personal data will be constant and not always communicated in time. Here is a handbook to avoid mistakes that could cost companies dearly. From issue 158 of AboutPharma

AboutPharma – 21 maggio 2018 di Alessio Chiodi

If the landlord knew what time the thief was coming, he wouldn't let his house be broken into. You too get ready…” reads a well-known Gospel parable which can also be useful for the most secular inspections by the authorities in matters of privacy protection. Because now that the rules of the game are changing, the controls may also increase. And it is not known when they will come knocking on the door to ask for an account of the activities of a company.

First point: be ready

If one were to imagine a vademecum of behaviour, in this case, the first rule would be: be ready to manage an inspection by the Guarantor for the protection of personal data. Inspections are usually preceded by reports or appeals. Or they are initiatives of the Guarantor within a well-defined road map. However, if a company is contacted by the competent authority to obtain specific information on its business, then it is likely that an inspection visit will soon take place. Maybe in person. In less serious cases, the Gdf takes care of routine visits. In the most serious cases, it is the inspectors of the Guarantor. And without the support of the core of the Guardia di Finanza. As written by the lawyer Gianluigi Marino, partner of OsborneClarke (AboutPharma n°154, pages 90-91), if the inspection is carried out in person by the inspectors, the situation can be expected to become controversial. The inspection may uncover other possible violations. Therefore, based on the person who carries out the checks, we understand the greater or lesser level of awareness of the authority regarding the problems of the inspected company.

Second point: find the right answers

The checks can be communicated (the day before) or take place by surprise. A document called a “request for information” is required before the inspection. With this element, notified at the time of access to the office, account is requested of all legislative and regulatory obligations regarding personal data. How is consent collected? How is the information given to the interested parties? How are external data processors contracted? All questions that need to be answered.

Third point: have someone who follows the inspections

Internal procedures must be streamlined and fast. The honors of the house must be done immediately. Generally, this task is performed by the internal privacy manager, the head of the legal department, the head of the compliance function or the DPO.

Fourth point: verbalize what happens and what is said

Everything must be transcribed, recorded and checked. Better to reserve the right to verify the correctness of what has been declared. Even better if everything is examined by an internal lawyer of the company or an external consultant.

Fifth point: have well-established privacy compliance

It will be easier to access the required documentation. However, fourteen days are foreseen for sending the material. Nothing to worry about if the inspectors' requests are not met immediately. It happens frequently.

Sixth point: consider the duration of the operations

The investigations last about two or three days. Therefore it is necessary that the company figure in charge of following them draws up an exhaustive report on what happened.

Seventh point: never release original documents

Only copies are better. Furthermore, it is necessary to take note of the databases inspected, obtain a copy of the report from the inspector, and always give truthful information. In case of doubts, better not to answer and postpone to subsequent investigations. As with university exams, it is better to remain silent than to give an incorrect answer. In the case of confidential documentation it is a good idea to cancel or make anonymous sensitive data that you do not want to make known to the inspector. For example, the economic terms of the agreements. Marino wonders: "will the organizations be sufficiently responsible to withstand the impact of the GDPR and the new waves of inspections in the coming semesters?".

Eighth point: there will be no exceptions

In recent weeks, news has circulated, which later turned out to be false, about a possible transitional period to be granted to non-compliant companies after 25 May 2018. The Guarantor had to intervene publicly to deny any information relating to this "bridge period". And confirm the effective entry into force on May 25th. Indeed, to be honest, there has already been a sort of transitional period. The Gdpr came into force in 2016, but the European institutions have decided to grant an additional two years to allow companies to adapt.

Related news: PRIVACY: Fimmg, Here are the steps to comply by the 25th

Note European Privacy Guarantor: «archive»: any structured set of personal data accessible according to specific criteria, regardless of whether this set is centralized, decentralized or distributed in a functional or geographical way;

«consenso dell’interessato»: qualsiasi manifestazione di volontà libera, specifica, informata e inequivocabile dell’inte­ ressato, con la quale lo stesso manifesta il proprio assenso, mediante dichiarazione o azione positiva inequivocabile, che i dati personali che lo riguardano siano oggetto di trattamento. L’interessato ha il diritto di revocare il proprio consenso in qualsiasi momento.

raccolti per finalità determinate, esplicite e legittime, e successivamente trattati in modo che non sia incompatibile con tali finalità; un ulteriore trattamento dei dati personali a fini di archiviazione nel pubblico interesse, di ricerca scientifica o storica o a fini statistici non è, conformemente all’articolo 89, paragrafo 1, considerato incompatibile con le finalità iniziali («limitazione della finalità»);

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation")

accurate and, if necessary, updated; all reasonable measures must be taken to promptly erase or correct data that is inaccurate with respect to the purposes for which they are processed ("accuracy");

The treatment is lawful se necessario per il perseguimento del legittimo interesse del titolare del trattamento o di terzi, a condizione che non prevalgano gli interessi o i diritti e le libertà fondamentali dell’interessato che richiedono la protezione dei dati personali, in particolare se l’interessato è un minore.

Exit mobile version