Download free GDPR compliance checklist!

Tag Archives for " Italy "

Italy fines gas company EUR 11.5 million for unsolicited telemarketing

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities – advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions – many individuals learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills.

Source: THE ITALIAN SUPERVISORY AUTHORITY FINES ENI GAS E LUCE EUR 11.5 MILLION – On account of unsolicited telemarketing and contracts

Data for money: App facilitating data portability now under the EDPB’s scrutiny

A number of Italian retailers submitted to the Italian Data Protection Authority, the Garante, very similar complaints concerning massive data subject requests received from Italian startup Weople.

Weople exercised, on behalf of the individuals that subscribed to its services via a mobile app, the right to data portability in connection to the personal data collected by the retailers’ loyalty programs. The transfer of such data was to go directly to Weople.

Full article: Data for money: App facilitating data portability now under the EDPB’s scrutiny

Italian Supervisory Authority approves Code of Conduct under the GDPR

On September 12, 2019, the Italian Supervisory Authority (Garante) approved a code of conduct for consumer credit agencies, pursuant to Art. 40 GDPR (see here in Italian).

The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the Garante in accordance with the GDPR procedures.

The Code regulates the processing of personal data of individuals located in Italy. It can be adhered to by entities located in Italy that professionally manage credit information systems (e.g., banks, financial intermediaries and other entities offering credit services).

Source: Italian Supervisory Authority approves Code of Conduct under the GDPR

Italian DPA Issues Judgment Concerning ‘Right to be Forgotten’

On July 22, 2019, the Italian supervisory authority for data protection (Garante) issued a judgment involving the so-called “right to be forgotten”.

The Garante held that, in accordance with Article 21 of the GDPR, the data subject has the right to object to the processing of personal data on the grounds of his or her particular situation.

On that basis, Google is required to stop the processing of the personal data unless it can demonstrate compelling legitimate grounds.

Furthermore, the Garante made clear that the principles of data protection apply to any information concerning an identified or identifiable natural person. Thus “right to be forgotten” applies to any searches, not exclusively to searches by individual’s name.

Source: Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’

Facebook fined by Italian DPA €1M over Cambridge Analytica scandal 

Italy’s privacy regulator fined Facebook €1 million Friday for violations connected to the Cambridge Analytica scandal — the largest fine against the social networking giant connected to that case.

The €1 million fine follows a previous £500,000 sanction by the British privacy watchdog, which similarly found that the tech giant had not sufficiently protected people’s online data

Source: Facebook fined €1M over Cambridge Analytica scandal – POLITICO

Users must receive specific and helpful information in case of a data breach

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach.

Source: Italian SA: Users must receive specific, helpful information in case of a data breach

Italy’s DPA Fines Data Processor for Information Security Failures

Italian Data Protection Authority, Garante, has issued a 50,000 EUR fine against a data processor platform for its failures to implement several information security measures.

Measures addressed by Garante includes: conducting periodic vulnerability assessments, ensuring timely implementation of patches, requiring strong passwords and ensuring password security.

Source: Italy’s DPA Fines Data Processor for Information Security Failures | Privacy Compliance & Data Security

Italian DPA calls for end of Whatsapp/Facebook “data sharing practices” as investigation finalises

Earlier this year, the Italian DPA closed its investigation into WhatsApp sharing data with Facebook. The investigation started in August 2016, after changes to the “terms of service and privacy notice” by WhatsApp.

Those changes were related to the sharing of some information about WhatsApp accounts — such as users’ phone numbers, device information, and “last seen” access — with Facebook for the following purposes: business analysis analytics, system security, and targeted advertising.

Full article: Italian DPA calls for end of Whatsapp/Facebook “data sharing practices” as investigation finalises

GDPR Italian Implementing Decree Has Been Published

On 4 September, the Legislative Decree no. 101 of 10 August 2018 (the “Decree”) for the national implementation of General Data Protection Regulation (EU) 2016/679 (the “GDPR”) has been published in the Official Journal . The approach of the legislator was to maintain the structure of former Legislative Decree 196/2003 (the “Privacy Code”) which, however, has been extensively amended and integrated, and now contains only some residual provisions in addition to those of the GDPR which are directly applicable.

Source: GDPR Italian Implementing Decree Has Been Published

Italy’s Data Protection law integrating the GDPR finally in place

Italian privacy law integrating the GDPR is finally in place, but a number of provisions remain unclear, but need immediate action. After having spent the well-deserved summer break, Italians are back to work and the legislative decree integrating the GDPR has been finally published on the Official Gazette and will be binding with effect from the 19th of September 2018.

Source: ITALY: Data Protection law integrating the GDPR in place

1 2 3