Garante per la protezione dei dati personali (Italy) - 10021468
Garante per la protezione dei dati personali - 10021468 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 28 GDPR Article 33(2) GDPR Regolamento per le infrastrutture digitali e per i servizi cloud per la pubblica amministrazione |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | 09.05.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 10021468 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante per la protezione dei dati personali (in IT) |
Initial Contributor: | Martina |
The document is an opinion of the Data Protection Authority on the draft regulation for digital infrastructure and cloud services for public administration.
English Summary
Facts
Article 2 of the draft regulation under consideration setted the appropriate objectives and standards to be adopted; specifically: - established the minimum levels of security, processing capacity, energy savings and reliability of digital infrastructure for public administrations and cloud services; - defined the characteristics of quality, security, performance, scalability, interoperability and portability of cloud services for public administrations; - identified the terms and modalities for the migration of data and digital services for public administrations; - defined the modalities for the qualification of cloud services for public administrations. The draft regulation also dealed with identifying ways to adapt PA infrastructure and cloud.
The main focus of the opinion is related about Article 22 of the draft regulation. It is elaborated on the regulation of personal data processing, stipulating that: - Administrations are the controllers of personal data processing carried out in the context of digital infrastructure and cloud services. - Operators of digital infrastructures, cloud service providers and additional entities involved in the processing of personal data, as well as entities they use to perform specific processing activities on behalf of administrations, shall act as data controllers within the meaning of Article 28 of Regulation (EU) 2016/679. They shall take appropriate measures to ensure timely and adequate information to the administrations in case of personal data breaches pursuant to Article 33 (2) of the GDPR. - In case of transfer of personal data outside the European Economic Area, data controllers are required to comply with the administrations' instructions issued pursuant to Article 28 (3) (a) of the GDPR and make available to them any information necessary to assess the effectiveness of the measures put in place. - The ACN (National Cybersecurity Agency) shall notify the Guarantor of evidence on possible breaches of personal data.
Holding
The Data Protection Authority considering that the draft regulation takes into account the considerations made in December 2021 and the comments provided during the informal interlocutions, expressed a favorable opinion on the draft regulation, with the objective of ensuring the circulation of information in the event of a personal data breach, the control by the administrations of the activities carried out by all those responsible, and the respect of guarantees in the case of the transfer of personal data outside the European Economic Area.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Opinion on the draft Regulation for digital infrastructures and cloud services for public administration - 9 May 2024 Register of measures n. 289 of 9 May 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter, Regulation); SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code” (hereinafter, the Code); SEEN Article 33-septies of Legislative Decree no. 179 of 18 October 2012, converted, with amendments, by Law no. 221 of 17 December 2012, and subsequent amendments, pursuant to which, in particular: “1. In order to protect the technological autonomy of the country, consolidate and secure the digital infrastructures of the public administrations referred to in Article 2, paragraph 2, letters a) and c) of Legislative Decree no. 82, while ensuring the quality, security, scalability, energy efficiency, economic sustainability and operational continuity of digital systems and services, the Presidency of the Council of Ministers promotes the development of a highly reliable infrastructure located on the national territory for the rationalization and consolidation of the Information Processing Centers (CED) defined in paragraph 2, intended for all public administrations. The central administrations identified pursuant to Article 1, paragraph 3, of Law 31 December 2009, n. 196, in compliance with the principles of efficiency, effectiveness and cost-effectiveness of administrative action, migrate their Information Processing Centers (CED) and related IT systems, which do not meet the requirements set by the regulation referred to in paragraph 4, to the infrastructure referred to in the first period or to another existing infrastructure of their own that meets the requirements set by the same regulation referred to in paragraph 4. Alternatively, central administrations may migrate their services to cloud solutions, in compliance with the provisions of the regulation referred to in paragraph 4. 1-bis. The local administrations identified pursuant to Article 1, paragraph 3, of Law No. 196 of 31 December 2009, in compliance with the principles of efficiency, effectiveness and cost-effectiveness of administrative action, migrate their Information Processing Centres (CED) and related IT systems, which do not meet the requirements set by the regulation referred to in paragraph 4, to the infrastructure referred to in paragraph 1 or to another existing infrastructure that meets the requirements set by the same regulation referred to in paragraph 4. Alternatively, local administrations may migrate their services to cloud solutions in compliance with the provisions of the regulation referred to in paragraph 4. […] 2. The term CED is to be understood as the site that hosts one or more IT systems for the provision of internal services to public administrations and services provided externally by public administrations, which at a minimum includes computing resources, network equipment for connection and mass storage systems. 3. The activities provided for in paragraph 1 do not include data processing centers subject to the management of classified data according to the legislation on the administrative protection of information covered by state secrecy and nationally classified information according to the directives of the National Security Authority (ANS), which exercises its functions through the Central Office for Secrecy (UCSe) of the Department of Security Information (DIS). 4. The National Cybersecurity Agency, with its own regulation, in agreement with the competent structure of the Presidency of the Council of Ministers, in compliance with the provisions introduced by Legislative Decree no. 105 of 21 September 2019, converted, with amendments, by Law no. 133 of 18 November 2019, establishes the minimum levels of security, processing capacity, energy saving and reliability of digital infrastructures for public administration, including the infrastructures referred to in paragraph 1. It also defines the characteristics of quality, security, performance and scalability, interoperability and portability of cloud services for public administration. The same regulation identifies the terms and methods by which the administrations must carry out the migrations referred to in paragraphs 1 and 1-bis as well as the methods of the qualification procedure for cloud services for the public administration. 4-bis. The provisions of this article apply, without prejudice to the provisions of Law No. 124 of 3 August 2007, in compliance with Article 2, paragraph 6, of Legislative Decree No. 82 of 7 March 2005 and the discipline and limits deriving from the exercise of activities and functions in the field of public order and security, judicial police, as well as those of national defense and security carried out by the digital infrastructures of the defense administration. […] 4-quater. The migration obligations provided for in the previous paragraphs do not apply to the administrations that perform the functions referred to in Article 2, paragraph 6, of Legislative Decree No. 82 of 7 March 2005. […]”; SEEN art. 17, paragraph 6, last sentence, of Legislative Decree no. 82 of 14 June 2021, converted, with amendments, by Law no. 109 of 4 August 2021, pursuant to which, pending the operation of the National Cybersecurity Agency (ACN), “the regulation referred to in Article 33-septies, paragraph 4, of Legislative Decree no. 179 of 18 October 2012, converted, with amendments, by Law no. 221 of 17 December 2012, is adopted by AgID, in agreement with the competent structure of the Presidency of the Council of Ministers”; SEEN the Regulation containing the minimum levels of security, processing capacity, energy saving and reliability of digital infrastructures for the PA and the characteristics of quality, security, performance and scalability, portability of cloud services for the public administration, the migration methods, as well as the methods of qualification of cloud services for the public administration, adopted, pursuant to the aforementioned art. 33-septies, paragraph 4, of Legislative Decree 179/2012 (in conjunction with art. 17, paragraph 6, last period, of Legislative Decree 82/2021), with determination of the Director of the Agency for Digital Italy (AgID) no. 628 of 2021, and on which the Guarantor has expressed a favorable opinion with conditions (provision no. 449 of 2021, available on www.garanteprivacy.it, web doc. no. 9740711); HAVING SEEN the note sent, most recently, on 4 April 2024, also following discussions with the Office of the Guarantor, with which the ACN sent to the Authority, for the purpose of obtaining an opinion, the draft Regulation for digital infrastructures and cloud services for public administration, pursuant to Article 33-septies, paragraph 4, of Legislative Decree no. 179 of 18 October 2012, converted, with amendments, by Law no. 221 of 17 December 2012 (accompanied by four annexes), aimed at replacing the aforementioned regulation adopted by the AglD in 2021; NOTING that the draft regulation in question (Article 2): - “establishes the minimum levels of security for public administrations, processing capacity, energy saving and reliability of digital infrastructures for public administrations and cloud service infrastructures for public administrations” (letter a)); - “defines the characteristics of quality, security, performance and scalability, interoperability, portability of cloud services for public administrations” (letter b)); - “identifies the terms and methods with which administrations must carry out migrations. To this end, it establishes the process and methods for the classification of data and digital services” (letter c)); - “defines the methods of the qualification procedure for cloud services for public administrations” (letter d)); identifying, for these purposes, the methods of the procedures for adapting digital infrastructures for public administrations, cloud service infrastructures for public administrations and cloud services for public administrations; NOTING, in this regard, that the draft regulation deals with regulating: - the “Characterization and classification of data and digital services of the public administration” (chapter II, articles 3-5); - the “Minimum levels of digital infrastructures for public administrations, cloud service infrastructures for public administrations and characteristics of cloud services for public administrations” (Chapter III, Articles 6-8); - the “Migration of data and digital services of the public administration” (Chapter IV, Articles 9-11); - the “Adaptation of digital infrastructures for public administrations, cloud service infrastructures for public administrations and qualification of cloud services for public administrations” (Chapter V, Articles 12-21); NOTING, furthermore, that Article 22 of the scheme, specifically dedicated to the regulation of the processing of personal data, establishes that: “1. The administrations are the controllers of the processing of personal data carried out within the scope of digital infrastructures for public administrations, cloud service infrastructures for public administrations and cloud services for public administrations. 2. Digital infrastructure operators, cloud service providers and other entities involved in the processing of personal data referred to in paragraph 1 or in the migration activities of data and digital services of the public administration referred to in Chapter IV, as well as the entities they use to carry out specific processing activities on behalf of the administrations, operate as data controllers pursuant to Article 28 of Regulation (EU) 2016/679. 3. The entities referred to in paragraph 2 shall adopt suitable technical and organizational measures to ensure timely and adequate information of the administrations in the event of a breach of personal data, pursuant to Article 33, paragraph 2, of Regulation (EU) 2016/679. 4. The use of other data controllers by the subjects referred to in paragraph 2 is regulated in accordance with Article 28, paragraphs 2 and 4, of Regulation (EU) 2016/679, providing for technical and organizational measures to provide administrations with suitable tools to monitor the processing activities carried out under their responsibility. 5. In the event of transfer of personal data outside the European Economic Area, the data controllers referred to in paragraphs 2 and 4 are required to comply with the instructions of the administrations given pursuant to Article 28, paragraph 3, letter a), of Regulation (EU) 2016/679 and to make available to them all information necessary to assess the effectiveness of the appropriate measures implemented pursuant to Chapter V of Regulation (EU) 2016/679. 6. Without prejudice to the powers of the Data Protection Supervisor for violations of the provisions contained in this article, the National Cybersecurity Agency shall communicate to the Supervisor any evidence it becomes aware of relating to possible violations of personal data"; CONSIDERING that the draft regulation under consideration takes into account the considerations formulated by the Supervisor in December 2021 on the draft regulation under the jurisdiction of AgID at the time, as well as the observations provided by the Office during the informal discussions held in order to make the processing regulated therein compliant with the legislation on the protection of personal data, with specific reference to the roles assumed by the parties involved in the same (starting with public administrations, digital infrastructure operators and cloud service providers) and the need for adequate measures to be adopted to ensure, in particular, the circulation of information in the event of a personal data violation, control by the administrations over the activities carried out by all data controllers and compliance with the guarantees in the event of transfer of personal data outside the European Economic Area; CONSIDERING, therefore, that it can express a favorable opinion on the draft regulation under consideration; SEEN the documentation in the files: SEEN the observations formulated by the Secretary General pursuant to art. 15 of the regulation of the Guarantor no. 1/2000; Rapporteur Prof. Pasquale Stanzione; CONSIDERING ALL THE ABOVE, THE GUARANTOR pursuant to arts. 36, par. 4, and 58, par. 3, letter b), of the Regulation, expresses a favorable opinion on the draft Regulation for digital infrastructures and cloud services for the public administration, pursuant to article 33-septies, paragraph 4, of Legislative Decree no. 179 of 18 October 2012, converted, with amendments, by Law no. 221 of 17 December 2012, to be adopted by the National Cybersecurity Agency pursuant to art. 33-septies, paragraph 4, of Legislative Decree no. October 18, 2012, No. 179. Rome, May 9, 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE SECRETARY GENERAL Mattei