Italian DPA plan of privacy inspections for the 1st half of 2019 unvailed

The Italian data protection authority gives interesting insights and raises concerns on its plan of privacy inspections and the activities performed in 2018.

The Italian plan of privacy inspections for the first half of 2019

As it happens every 6 months, the Italian data protection issued its plan of privacy inspections that are usually performed by means of dawn raids and will target, among others, data processing activities performed by:

• banks;
• companies for marketing purposes;
• public institutions in relation to large databases;
• companies with reference to profiling activities concerning loyalty cards members and
• private and public companies with reference to
  • the lawfulness of the data processing and obtained consent,
  • the provision of a valid privacy information notice,
  • the adoption of adequate security measures in the processing of health related data and
  • the observance of the maximum data retention period.

What lessons from the plan?

One of my previous blog post (“Top 5 immediate actions to get ready for Italian privacy dawn raids“) summarizes the key insights arising from our event run with the head of the tax police in charge of privacy inspections. And such actions shall be reassessed in the light of the plan indicated above since the approach of the Italian data protection authority is, among others, to:

1. carefully assess whether the legal bases of the data processing indicated in the privacy information notice are correct. And in this respect, the reference to multiple legal bases of processing without explaining when each applies and how shall be avoided;
2. ensure that privacy information notices are transparent and outline the actual data processing activities that are performed, rather than having a single privacy information notice that applies to any possible data processing activity, just because it is more convenient;
3. verify that marketing consents have been properly and freely obtained, is possible to prove them and whether profiling can be performed on either consent, or legitimate interest or a different legal basis;
4. implement technical and organizational measures able to guarantee compliance with applicable data retention periods; and
5. adopt technical and organizational measures that are adequate to the level of risk to which processed personal data are exposed.

What activities were performed by the Italian DPA in 2018?

The Italian data protection authority also provided an outline of the activities performed during 2018 when:

• 175 challenging orders were issued, compared to 109 of 2017 with € 8,161,806 of total fines that were cashed in, compared to € 3,776,694 of 2017;
• 707 administrative breaches were challenged, compared to 589 of 2017; but
• only 27 cases were reported to criminal authorities, compared to 41 of 2017, as Italian privacy law provides for criminal sanctions in connection with some privacy breaches.

The markets that have been more investigated in 2018 are:

• financial institutions;
• rating and credit scoring agencies;
• hospitals transferring health data to third parties for research purposes;
• telemarketing companies;
• money transfer providers;
• insurance companies offering telematics services through the so called “black boxes” installed on vehicles; and
• providers of telemedicine services by means of Apps.

The above is the confirmation once again that – regardless of the transition to the GDPR – the Italian data protection authority did not slow down its activity during 2018, but on the contrary the applicability of the GDPR gave them new resources which might make their police activity even more invasive.

On the topic, you can find interesting the article “How to be prepared for privacy dawn raids under the GDPR?” and indeed being prepared to privacy inspections needs definitely to become an essential element of a privacy compliance program. Also, it may be helpful the video below as part of my videoblog “Diritto al Digitale”