Servizi di privacy e protezione dati

Privacy services and Data protection

What do we know today about data processing and its importance?

There has been much talk about the new European GDPR regulation, which subjects are involved in this reform and how urgent it will be to adapt and move on to practice.

Since the GDPR has been brought into force, OverEagles has developed its own proactive approach to comply with all the aspects of this innovative regulation, providing its knowhow in this field by creating a practical response for companies, accompanied by case studies.

European Regulation 2016/679 (GDPR), what is the scope?

The European regulation on privacy and data protection applies to all those who process data outside the purely private context, even if such data is also limited, for example, to the personal e-mail addresses of representatives of client companies, the names of external consultants or suppliers, or the information necessary to manage the payrolls of employees of a third company to which accounting advice is offered.

What has changed from the Legislative Decree 196/2003 c.d. "Privacy Code"?

The legislation has revolutionized the approach to the matter and put back into the hands of those who process the data – the so-called controllers and processors – the analysis of their own situation and the choice of the tools to address the risks in terms of privacy and data protection.

How to be compliant?

In order to be compliant with the GDPR, it is not sufficient to uncritically adopt a series of standard measures, but it is instead necessary to demonstrate accountability. To this end, in a nutshell, it is necessary to be able to demonstrate the reasoning behind the choices made with  respect to the selection of the requirements to be fulfilled and their preparation in view of the risk detected (the so-called “risk based approach”), and to reflect this logical path in the measures actually put in place and in the substantial content of the documentation offered. In addition, the path followed must highlight compliance with the key principles of European legislation and highlight whether privacy has actually been set “by design” and “by default”.

Why rely on OverEagles to be accountable and compliant?

The administrative and accounting advice offered allows us to have a complete overview of your business reality and simplifies the process of analysis of the purposes and legal bases relating to the data processing carried out, as well as the related risks. In this context, the adoption of the necessary steps becomes part of the process to make your company efficient and solid. The continuous nature of the relationship, moreover, allows to keep the possible evolution of the context of the processing carried out constantly under control, and to update the measures and the documents prepared, also as a result of European and Italian regulatory and jurisprudential updates.

How to proceed?
The path passes through the preliminary analysis of the areas of data processing carried out, with the main purpose of understanding the scope. This is the most delicate phase, as it is not always easily comprehensible which data refer to, or can refer to, identified or identifiable natural persons. Once the existing processing activities have been assessed, it is necessary to weigh up the risk associated with them and the measures to mitigate it. Not only that. For the processing to be legitimate, each processing activity must have a legal basis and a purpose and that respects the principles underlying the regulation, such as proportionality and minimization of data, lawfulness, fairness and transparency, integrity and confidentiality. Finally, it is necessary to identify a retention period appropriate to the processing carried out, since it is not lawful to keep the data beyond the necessary time, for example in a future and possible utilitarian perspective.

Servizi di privacy e protezione dati 1

Once this information has been collected, is it sufficient to adopt standard models of privacy policies?
The preparation of the measures necessary to be compliant and accountable involves the preparation of documents that are strictly related to the company reality and that reflect the results of the analysis carried out in advance. In addition to the privacy policy, the contracts for the appointment of data processors and any collection of consent, indeed, it is appropriate to demonstrate, for example, why records of processing activities have not been maintained or why a data protection officer (so-called “DPO”) was not appointed. Depending on the risk identified, a data protection impact assessment for each processing may also be necessary, based on which a company should identify which changes to the processing and which organizational and IT security measures have been adopted to address the critical issues that have emerged.

Is it sufficient to ask for the consent of all those involved in the processing I have carried out or to rely on what has already been collected?
In the new legislation, consent has lost its central role, becoming only one of the legal basis on which to base treatment. The choice of the basis to use should be carefully considered by the controller, as the consent is always revocable by the person who gave it. The identification of the legal basis is a delicate and central process for those who carry out the processing and is based on lawfulness and opportunity. Each legal basis has its own limits or advantages, which are not always easily identifiable.

Before the GDPR we were in line with privacy laws, do I have to revolutionize the business structure again?
Although it is mandatory and represents an opportunity for the restoration of one’s own structure and the related criticalities, compliance with and application of the law does not necessarily imply radical changes. If they are still valid, therefore, some of the organizational and security measures already in place could be maintained or updated. The purpose of the regulation, in fact, is not only to protect data processing but also to allow companies in the European market to be efficient locally or globally, internally and externally, without having to go through preventive checks by the authorities but being ready to demonstrate their accountability and compliance in case of inspection by the Italian Privacy Authority.

Servizi di privacy e protezione dati 2

Is compliance with the regulations, therefore, aimed exclusively at avoiding controls and penalties?
Are the risks of inspection real?
After the eight months during which the Italian Privacy Authority took into account the phase of entry into force of the regulation, compliance with the prescriptions identified by the latter and by the Italian implementing regulation (Legislative Decree 101/2018) is of primary importance in order to avoid the application of significant corrective measures (for example, mandatory security measures to be implemented where processing is carried out, both physical locations or IT equipment, appointment of a DPO or limitation of the data to which individual employees can have access), sanctions (up to 2/4% of annual revenue and 10/20 million euros) or disqualifications (deletion of data or interruption of the processing).
The Italian Privacy Authority’s action focuses on certain priority areas selected every six months, but is not conducted exclusively of its own motion, throughout a certain area or by sample, as it may also originate from requests of interested parties, started through claims, complaints or even mere reports, or be subsequent to a loss of data or data breach (to be reported within 72 hours to the Italian Privacy Authority, highlighting all the measures taken to prevent this possibility), or even be consequent to the exercise of the rights of the data subject, in case the controller or processor has not acted upon.

Disclaimer
Nothing on this site constitutes legal consultancy. The information contained on the site cannot be relied upon without prior and necessary professional legal advice.