Welcome to the Privacy and Data protection section

To defend your privacy and your personal or business data, you need to choose the most effective protection, through the help of an expert.

Below a list of the main topics on this subject to help you.

  1. Privacy Adjustment for companies
  2. Analysis of the Privacy Adjustment
  3. Privacy Adjustment for websites
  4. Appeals to the Italian Data Protection Authority
  5. Legal actions concerning privacy matters
  6. Privacy and GDPR Advise
1

Privacy Adjustment for companies

The European regulation has deeply changed the organization of this subject.

The Decree Law no 196 of June 30, 2003 “Privacy Code” contained a list of measures that the controller should have adopted to be compliant.

From May 25, 2018 things have changed. The EU Regulation 679/2016 founds the protection of personal data on the accountability principle stating that the controller chooses the most suitable measures to guarantee the best security of persona data.

The law doesn’t list the precautions to be adopted. Each controller must use the technical and organizational measures to guarantee the best possible protection according to his/her activity and the processing that wants to realize and also taking into account the technologies at his/her disposal.

The right planning and implementation of an adequate model of privacy managing allows the adoption of logic, physic and organizational measures able to reduce the risks, in particular of the loss of data, unlawful communications and non-authorized accesses.

The adoption of efficacious measures of personal data protection has an important effect even for the protection of all the business assets.

Setting a system of computer security guarantees a protection of the data of clients, potential clients, employees and others and is also a defense from eventual information leaks or theft. Thus, it is part of the so-called “data protection”.

Following the EU regulation and showing it saves you from the fines of the Italian Authority and it is also an advantage in terms of trust and competitiveness on the market.

For an efficacious privacy adjustment, the advisor musts study the business organization – that requires time and attention – and then s/he agrees with the company the model of personal data protection to activate to that company.

Models are not unique and need to be adjusted to each reality.

Our professionals are ready to advise you according to your specific necessities.

2

Analysis of the Privacy Adjustment

The privacy management has changed with the GDPR, EU Regulation 679/2016, and it became a real business process.

Adopting the “technical and organizational measures” is not enough. What has been implemented has to be verified continuously with analysis and updates.

Among the duties of a controller there is also the definition of the technical and organizational measures of the model adopted and its update.

Therefore, it is good to program some audit with the aim to verify and show to the Authority that the organizational structure follows a process of constant control of the procedures adopted and that it alwaysadjusts to the internal changes and to the technological evolution.

The scheduling of the audits is important in the management of the staff and also for the purposes of the law on administrative responsibility of the bodies.

The audit activities, inspections included, may be fulfilled by the controller himself but more often is suggested to entrust it to an external professional knowing the regulation of personal data processing. 

The verification of the measures concerns the internal organization of the company (internal audit) and the external professionals acting as processor (external audit).

The internal audit is made inside the organization and is part of the system of its internal controls. It is one of the useful instruments to control the right development of the activities and verify that the procedures are followed and adequate.

The external audit is made by thirds, that is the processors, who have been delegated of part of the processingmay be of two kinds.

The first kind precede the signature of the contract and is stricter than the second.

Before choosing the supplier processing personal data for us, it is necessary to assess if it meets the requirements and the necessary warranties provided by the GDPR to protect its data and those of the subjects who resort to us and to avoid fines.

The second kind f audit follow the first and has the aim of verifying the right fulfillment of the instructions provided by the contract and the respect of the regulation on the subject, even after the assignment.

After the audit, the advisor decides the “compliance” or “not compliance” of the processing to the organizational model set and it may be furnished the indication to create the best level of protection possible.

3

Privacy Adjustment for websites

The privacy adjustment concerns all the organization of the controller and all the instruments used.

A website is the showcase of the business activities of the owner, the business card par excellence, but it is also an important mean for information and personal data.

In the past few years, the Italian Data Protection Authority has talked several times about the personal data processing on the internet. The provision related to cookies of May 8, 2014 is very important because has clarified the duties for the usage of cookies linked to websites.

A business website must undergo an attentive analysis according to its function.

Even a simple informative website shall follow the regulation on personal data protection if it somehow collects or process personal data.

Each choice made by the controller should be evaluated from a technical and commercial point of view and be compliant to the EU privacy regulation.

It is sufficient to think to a simple form of contact or to the “work with us” sectionthrough which the candidates can send their curriculum vitae. These are instruments to collect data which require a specific policy that can be created only after the examination of the stream of information, where it is stored and how it is used.

Unfortunately, websites are often a succession of copy and paste but to avoid notifications or sanctions it is necessary to talk to an attorney dealing with this specific field and able to find the right solution for your case.

4

Appeals to the Italian Data Protection Authority

The EU Regulation 679/2016 provides the possibility to submit an appeal to the Authority, the Italian Data Protection Authority, if one believes that is experiencing an illicit processing of its own personal data.

In case of violation, first of all, one can and must write to directly to the controller asking for clarifications or for an intervention aimed at canceling the data or the unpleasant publication.

If the controller does not answer, one can address the Data Protection Authority pursuant to art. 77 of the Regulation, submitting an appeal specifying what happened and the reasons of the assumed violation.

The Data Protection Authority studies the case and issues the adequate provisions, it can also impose sanctions and order the controller to act to end the violation.

The Data Protection Authority studies the case and issues the adequate provisions, it can also impose sanctions and order the controller to act to end the violation.

On the contrary, if you received an appeal and the Data Protection Authority has called you, you need to go immediately to your DPO (Data Protection Officer). In case you have not appointed a DPO, contact an attorney with experience in this field who can assist you properly.

5

Legal actions concerning privacy matters

The EU Regulation 679/2016 provides the possibility to act before an ordinary Judge to ask for the end of an unlawful processing and also to act against a decision of the Data Protection Authority.

Any natural or legal person has the right to file a jurisdictional appeal against the juridically binding decision of the Data Protection Authority or when the Controlling Authority does not process the appeal or it does not act for more than three months after the proposition of the appeal.

Art 82 EU Regulation 679/2016 states that whoever suffers a material or non-material damage caused by a violation of the Regulation has the right to obtain compensation from the controller or the processor.

Legal actions aimed at obtaining a compensation should be promoted before the competent jurisdictional authorities according to the law of that member state.

The compensation should be requested exclusively through a jurisdictional appeal before the lay Judge. It cannot be requested with an administrative appeal.

Laura Turini Esq. can assist you both with the filing and the defense from these actions. 

6

Privacy and GDPR Advise

The assistance in the privacy field is essential to any company.

It is indispensable any time a company faces a notification, a verification by the Data Protection Authority, or worse, a legal action started by someone that claims to be suffering a violation.

In that case, before making any mistake, it is important to resort to an attorney dealing with the procession of personal data to obtain the right indications.

The assistance is more important – as a preventive measure – to avoid actions or notifications that can be very expensive.

Any choice dealing with the processing of personal data must be evaluated in light of the main principles of the EU Regulation 679/2016: pertinence, limitation, necessity.

Even after the adjustment of the entire organization, the usage of new technologies or the individuation of a new processing can take to a new analysis of the measures adopted or to be adopted.

Do you need to talk to an ttorney at law?

Book a consultation with one and expert of Ufficiobrevetti.it, it only takes a few minutes…

  • Answer few questions and make the payment
  • Select the date you prefer 
  • Receive the link for the video call