EU Regulation 679/2016 General Data Protection Regulation (GDPR)
Published in the European Official Journal on May 4, 2016, it entered into force on May 24, 2016, but its implementation took place two years later, therefore starting on May 25, 2018.
Being a regulation, it does not need to be transposed by the States of the Union. Its aim is the definitive harmonization of the regulation on the protection of personal data within the European Union.
Privacy is a set of rules designed to ensure that the processing of personal data will be respect for human rights and fundamental freedoms of everyone.
The fundamental principle is that everyone has the right to exercise control over information concerning him. Privacy is the right to know that someone else is collecting information about us, what kind of information they are collecting and for what purposes you want to use it. However, it is not limited only to keeping the individual taxable person on the management of information (direct or indirect) concerning him, but elevates him to an active subject in the management, not only of the type of personal information concerning him, but above all in the right to decide if you want to allow this collection and use or if you prefer to deny this consent.
The privacy legislation guarantees the right of freedom to exercise control over information concerning us by putting the interested party in the conditions to choose whether to allow someone else to collect information on their account and for what purposes they wish to use it.
In modern society, communication techniques and the ease of dissemination and duplication of information allow subjects, entities, companies and others to be able to collect and use information referring to a subject, collecting it or not without his knowledge, and using it for the purposes more varied, but in any case not aware of the will of the interested party. Privacy is thus a tool to protect one's own confidentiality and regulates how each person holds the right to dispose of the data concerning him or her and which describe and qualify their individuality.
Fundamental is then the principle that, even if the data has been freely and consciously granted for use by the interested party, it can return, at any time, on the decision of the owner of the same data, private. More briefly and technically it is indicated that the consent can be revoked at any time by the interested party.
The privacy legislation therefore constitutes one of the fundamental prerequisites of individual freedom and the exercise of one's rights as guaranteed by the fundamental principles of the European Union.
The Italian Authority
The Guarantor for the protection of personal data is a collegial body, made up of four members elected by the Parliament, who remain in office for a non-renewable seven-year term.
The current College was elected by Parliament (pursuant to Article 153, paragraph 2 of the Code) on July 14, 2020 and took office on July 29, 2020.
The board is made up of the following members: Prof. Pasquale Stanzone (president); Prof. Ginevra Cerrina Feroni (vice-president); Dr. Agostino Ghiglia (member); Guido Scorza (member). The Duties of the Guarantor are defined by Regulation (EU) 2016/679 and by the Code regarding the protection of personal data .
With the European Regulation we pass from a proprietary vision of the data, on the basis of which it cannot be processed without consent , to a vision of control of the data, which favors the free circulation of the same while strengthening the rights of the interested party , the which one must be able to know if the data are used and how they are used to protect him and the whole community from the risks inherent in data processing.
Privacy is a fundamental right recognized today by the legal system of all European countries and the main nations of the world, which provides that the protection of the right to the protection of personal data must be understood as a fundamental right of individuals. Privacy must be understood as a set of rules created to ensure that the processing of personal data is carried out in compliance with the fundamental rights and freedoms of everyone, because ANYONE has the right to the protection of personal data concerning him.
See the provisions of art. 1 par. 2 of the Regulation:
"This regulation protects the fundamental rights and freedoms of individuals, in particular the right to the protection of personal data".
The Regulation shifts the focus of the legislation from the protection of the data subject to the responsibility of the owner and data processors . The Anglo-Saxon term of accountability is not easily translatable and in fact in the translation of the Regulation, one speaks improperly of "responsibility". Generally speaking, the most correct translation, even if not very practical, could be that of “reporting”.
In fact, by virtue of the principle of accountability, the Regulation provides that the data controller adopts policies and implements adequate measures to guarantee and be able to demonstrate that the processing of personal data carried out complies with the same Regulation.
In particular, the GDPR acknowledges this principle in art. 24 which provides that, taking into account the nature, scope, context and purpose of the processing, as well as the risks of varying probability and gravity for the rights and freedoms of individuals, the data controller implements technical measures and organizational requirements to guarantee, and be able to demonstrate, that the processing of personal data is carried out in accordance with the Regulations. These measures are reviewed and updated as necessary. Furthermore, if this is proportionate to the processing activities, the aforementioned measures include the implementation of adequate data protection policies by the data controller.
Accountability is now considered as a practical approach to privacy and the processing of personal data; it therefore aims at developing tools that can be used by organizations to assess the state of their accountability and report it to the Guarantor Authorities for the protection of personal data.
There is therefore no doubt that in the context of the protection and protection of personal data the concept of accountability assumes a fundamental role, the key to reading and interpreting the correct behavior that the data controller must adopt in front of a question, a problem. , to doubt about the correct organizational or technical process underlying a data processing.
In particular, the need to implement measures to protect and guarantee the processed data is highlighted, with a completely new approach that leaves the owners with the task of independently deciding the methods and limits of data processing in light of the specific criteria indicated in the Regulation:
- " privacy by design " principle , according to which the products and services must be designed from the outset in order to protect the privacy of users, that is, the treatment must be planned and configured from the outset by providing guarantees to protect the rights of the interested parties;
- risk of processing , intended as an assessment of the negative impact on the freedoms and rights of the data subjects.
The approach of the GDPR, more focused on data protection rather than on the user himself, represents in a certain way a step backwards compared to the previous legislation. It is an approach based on risk assessment (risk-based), with which it determines the extent of responsibility of the owner or manager of the treatment, taking into account the nature, extent, the context and the purpose of treatment, as well as the probability and severity of risks to users' rights and freedoms.
A risk-based approach has the obvious advantage of requiring obligations that can go beyond mere compliance with the law, it is certainly more flexible and adaptable to changing needs and technological tools.
A risk-based approach, however, has the disadvantage of delegating the risk assessment to the company, making disputes more difficult in the event of violations.