Data Protection in Italy

From GDPRhub
Data Protection in Italy
Data Protection Authority: Garante per la protezione dei dati personali (Italy)
National Implementation Law (Original): Codice in materia di protezione dei dati personali
English Translation of National Implementation Law: n/a
Official Language(s): Italian
National Legislation Database(s): Link
English Legislation Database(s): n/a
National Decision Database(s): Link

Legislation[edit | edit source]

History[edit | edit source]

The first organic regulation of the Italian data protection framework was provided by law n. 675/96, implementing Directive 95/46/EC.

Law n. 675/96 has then been replaced by Legislative Decree 196/2003 (Codice in materia di protezione dei dati personali or the "Code"), which has defined the core of privacy in Italy for more than two decades.

National constitutional protections[edit | edit source]

The Italian Constitution does not expressly refer to a right to privacy or data protection. However, building on Articles 14 (inviolability of domicile) and 15 (confidentiality of correspondence), both the Constitutional Court (Dec. n. 81/1993) and the Supreme Court of Cassation (Dec. n. n. 2129/1975 - Soraya) have regularly defined the privacy as a fundamental human right.

National GDPR implementation law[edit | edit source]

In Italy the GDPR is implemented by the Codice in materia di protezione dei dati personali. Following the introduction of the GDPR, the Code has undergone a considerable modification by Legislative Decree 101/18. The adaptation decree repealed most of the previous provisions and integrated the national legislation with the new Regulation.

Age of consent[edit | edit source]

Under Article 2-quinquies of the Code, a child over the age of fourteen may consent to the processing of his/her personal data in relation to the direct offer of services of the Information Society. Without prejudice to Article 8(1) GDPR, for child under the age of fourteen, consent is only valid if provided by the person exercising parental responsibility.

Freedom of Speech[edit | edit source]

The Code contains a specific discipline regarding the processing of personal data for journalistic purposes.

In particular, Article 137 of the Code provides that personal data, including those referred to in Articles 9 and 10 of the Regulation, may also be processed without the consent of the data subject, provided that the deontological rules referred to in Article 139 of the Code are respected.

On 29 November 2018, the Garante adopted the Regole deontologiche relative al trattamento di dati personali nell’esercizio dell’attività giornalistica.

Employment context[edit | edit source]

The Privacy Code contains specific rules on the processing of data in the context of the employment relationship.

In application of Article 88 of the GDPR, Article 111 of the Code provides that such data shall be processed in accordance with the rules of ethics referred to in Article 139 of the Code. These rules have not yet been adopted.

Article 113 of the Code prohibits any investigation or processing of data or pre-selection of workers, even with their consent, on the basis of personal beliefs, trade union or political affiliation, etc..

Article 114 of the Code refers to Statuto dei lavoratori and sets a general prohibition to use audio-visual and other technical equipment for purposes of controlling the activity of employees.

Article 115 protects the working conditions, integrity and personality of the domestic or remote worker.

Research[edit | edit source]

In accordance with Article 105 of the Code, personal data processed for statistical or scientific research purposes may not be used to take decisions or measures relating to the data subject, nor for other purposes.

Statistical and scientific research purposes must be clearly determined and made known to the data subject, in the manner set out in Articles 13 and 14 of the Regulation, including in relation to the provisions of the relevant code of ethics (see also Article 106, paragraph 2, letter b) of the Code).

Other relevant national provisions and laws[edit | edit source]

You can help us fill this section!

National ePrivacy Law[edit | edit source]

Italy has implemented Directive 2002/58/EC (as amended by Directive 2009/136/EC) mainly in Articles are 121 - 132-quater of the Code.

Cookies are regulated in Article 122 of the Code.

Spam Emails and other types of advertisement are regulated in Article 130 of the Code.

Data Protection Authority[edit | edit source]

The Italian Data Protection Authority (Garante per la protezione dei dati personali) is the national data protection authority for Italy.

→ Details see Garante per la protezione dei dati personali (Italy)

Judicial protection[edit | edit source]

Civil Courts[edit | edit source]

Disputes concerning the protection of personal data are held before a civil court. The competent court is alternatively the one of the place where the data controller resides or has its seat or the court of the place of residence of the data subject.

The appeal against the DPA's decision including those issued following a complaint of the interested party, is proposed, under penalty of inadmissibility, within thirty days from the date of communication of the measure or within sixty days if the claimant resides abroad.

Administrative Courts[edit | edit source]

You can help us fill this section!

Constitutional Court[edit | edit source]

The Italian Constitutional Court does not have a particular jurisdiction over the data protection framework. The Court can of course invalidate any national legislative act violating the Constitution, also by means of a violation of the European Law.