Parties involved in the privacy structure
Interested is the natural person to whom the personal data refer. So, if a treatment concerns, for example, the address, the tax code, etc. di Mario Rossi, this person is the "interested party" (article 4, paragraph 1, point 1) of EU Regulation 2016/679 );
Owner is the natural person, the public authority, the company, the public or private body, the association, etc., which takes decisions on the purposes and methods of the processing (Article 4, paragraph 1, point 7) , of EU Regulation 2016/679 );
Data processing manger is the natural or legal person to whom the owner requests to perform specific and defined management and control tasks on his behalf of data processing (Article 4, paragraph 1, point 8), of EU Regulation 2016/679 ) . The Regulation itself introduced the possibility that a manager may, in turn and according to certain conditions, designate another so-called "sub-manager" (article 28, paragraph 2).
Guardia di Finanza verification and control activities
On May 25, 2018, the new privacy officially began and at the same time the control and inspection activity by the Guardia di Finanza, on the recommendation of the Italian Privacy Guarantor. Specifically, the inspections were launched as of the date of application of the EU legislation on mandatory and fundamental obligations for compliance with the GDPR and, briefly, they can concern:
verification of information adequacy;
document verification of appointment designation documents;
appointment of the DPO, the data protection officer (where applicable);
controls on the measures envisaged in the event of a data breach (to be understood not as extreme situations but as all those cases of accidental and occasional loss of data, such as the theft of a PC, hard disk, etc.);
verification of treatment registers: this will be the basis of the inspection activity, the point from which the Guardia di Finanza will start to evaluate the measures for the protection of privacy implemented;
risk analysis verification (DPIA (Data protection Impact Assessment - Data protection impact assessment) governed by articles 35 and 36 of the GDPR;
IT technical checks on prevention measures in place at the facilities
verifies the methods and adequacy of data retention.
The Data Protection Officer - DPO
The basis of the new controls is the ability for the company or professional to be able to account for the assessments made. In this sense, the role of the DPO, English acronym of Data Protection Officier (literal translation of DPO Data Protection Officer) will be central.
Briefly, the DPO has the function of supporting the data controller, employees and data processors in order to keep the data and manage the risks following the principles and indications of the European Regulation laid down by art. 3 9 of the GDPR.
Actually, the DPO is a technical and legal consultant, with executive power. Its operational role is in this case double, since it not only advises and supervises, but also acts as an intermediary legitimated by the appointment and by the EU regulation between the organization and the Guarantor Authority.
Briefly, its main tasks are and are three: to inform, monitor and cooperate.
Attention, a good DPO is a facilitator overseer and must have the capacity of adequacy and understanding of the role with reference to the context in which he operates. Precisely for this reason it is useful right now to suggest that the person chosen to fill the role must have knowledge of legal IT matters so as to support the Owner and the organization by studying operationally practicable solutions and at the same time in line with the provisions of the legislation exam.
It is not the Guardia di Finanza that applies the sanctions in case of violation of the privacy rules. The inspection activity must be carried out in order to ascertain compliance with the protection principles established by the GDPR. Should the Guarantor deem it necessary to apply the sanction, the elements collected during the inspections will ensure that it can be applied in an effective, proportionate and dissuasive manner.
the EU regulation divides privacy violations into two broad categories:
Less serious privacy violations resulting in a fine of up to 10 million euros, or an administrative fine of up to 2% of the company's worldwide turnover.
Violations relating to the methods of carrying out data processing prescribed by the GDPR can fall into this category:
- Lack of the data processing register (of the data controller or data processor);
- Failure to appoint the DPO (in cases where the role is mandatory);
- Failure to assess the DPIA impact (in cases where it is mandatory for the structure);
. Failure to notify data breach authorities (databreach);
- Violation of the obligations of the certification body.
Serious privacy violations resulting in a fine of up to 20 million euros, or an administrative penalty of up to 4% of the company's worldwide turnover.
Violations of the general principles laid down by the GDPR can fall into this category:
- Lack of consent to processing (in cases where explicit consent of the interested party is required)
- Violation of the rights of the interested party;
- Lack and / or inadequacy of the privacy information;
- Violation of the provisions regarding the transfer of data to third countries (outside the EU).
However, the GDPR does not indicate the minimum amount of the penalties, but establishes the criteria for determining the penalty that must be raised according to the criteria of effectiveness, dissuasiveness and proportionality. The regulation therefore establishes the calculation criteria relating to the quantum of the sanction according to the evaluation of:
- severity of the damage
- willful misconduct or fault of the owner or manager in committing the infringement
- measures adopted by the owner or manager to mitigate the damage to the interested parties
- reiteration of illegal facts relating to the processing
- concurrence of violations
In the inspection based on the concept of accountability will be key, empowerment: in the process of monitoring the company or the professional will demonstrate logical reasoning and evidence through what has been done and what is not, demonstrating that the non-performance (failure to appoint DPO, failure to keep the Register).
Not only will it be necessary to process the data according to the provisions of the GDPR but it will also be necessary to demonstrate that you are aware of the methods of treatment and storage of the same. The data controllers must give a responsible account of what has been done.
In particular, the Corps collaborates in the inspection activity conducted by the Guarantor through:
- the retrieval of data and information on the subjects to be controlled;
- assistance in relations with the Judicial Authorities;
- the participation of its staff in accessing databases, inspections, verifications and other surveys in the places where the processing takes place;
- the development of delegated or sub-delegated activities to ascertain violations of a criminal or administrative nature
- the contestation of the administrative sanctions found in the context of the delegated activities;
- the execution of fact-finding surveys on the state of implementation of the aforementioned Law in specific sectors.
As already mentioned, the GDPR provides only two types of administrative sanctions that can be summarized as follows:
up to 10 million euros, or for companies, up to 2% of the total annual worldwide turnover of the previous year, whichever is higher
up to 20 million euros, or for companies, up to 4% of the total annual worldwide turnover of the previous year, whichever is higher.