What is the GDPR
From 25 May the GDPR will become mandatory. This new Regulation, which will govern the processing of personal data, will have a significant impact not only on data privacy but also on the obligations that EU and non-EU companies must comply with. In the meantime, it may be useful to look at some of the most frequently asked questions together to try to become familiar with the new Regulation and get ready for May 25th.
1) What is the GDPR and when will it find full application?
The GDPR, acronym for General Data Protection Regulation, is the European Data Protection Regulation that will revolutionize the management of users' personal data on the web, with a view to transparency, simplification, unification and above all accountability between countries.
The GDPR officially entered into force in May 2016, replacing the previous 1995 data protection directive, but, being a regulation with deferred application, it becomes mandatory two years after the date of its approval, i.e. 25 May 2018.
Date that will probably see the repeal of the previous privacy code, or the Legislative Decree 196/03
2) What is the difference from the previous 1995 Data Protection Directive?
The 1995 regulations were conceived in a period in which the internet phenomenon had not yet taken hold and data retention took place with completely different procedures compared to today.
The GDPR is a new generation legislation that starting from 25 May 2018 will mark the beginning of a new way of processing users' personal data. We move from a system based on an authorization model to a model of accountability for treatments.
3) What innovations does the GDPR introduce regarding the collection of consent?
At the moment in Italy the mechanism of prior consent, also known as the opt-in method, is in force, i.e. the consent is valid only if acquired before each treatment, to make it lawful.
Other countries in Europe use the logic of presumed consent based on user behavior. In the United Kingdom, on the other hand, the opt-out mechanism is in force, which assumes consent unless there is an explicit denial.
In order to harmonize the legislation in the various countries, the GDPR finds a balance by establishing the validity of the consent only if it is expressed in advance, through positive conclusive behaviors.
4). Is it possible to implement the rule of positive conclusive behaviors to collect data already now, ie before 25 May?
Yes, because the two years of time have been granted to allow the States to adapt to the legislation in time.
The GDPR is already in force and from 25 May it becomes mandatory.
5) Can data that companies disclose publicly, such as those found online, be used?
Even if the data are available and publicly consulted, according to the provisions of the GDPR these cannot be used freely for direct marketing actions, in the absence of a prior consent and formulated in an unequivocal way by the interested party.
6) Is the double - opt in mechanism for data collection required by law?
The double - opt in mechanism is not mandatory by law, but it is a virtuous mechanism that is absolutely recommended, as it consists of a double confirmation step by the user regarding the desire to receive communications.
The GDPR requires structured information, further clarifications and possibly also a video clip to explain the purposes of the processing.
7) what happens to the data collected according to the old legislation?
The personal data of users collected under the previous legislation will have to be subjected to an analysis to assess whether they can continue to be used also in light of the new legislation.
8) With regard to e-commerce, how do you behave if a customer leaves his email to receive information on the order, but does not check the box to receive commercial information?
If the customer does not tick the box to receive commercial information, the contacts left by him cannot be used to send him updates of a commercial nature because by ignoring the box he has clearly expressed his denial, or the consent has not been validly expressed.
9) Are company addresses and private addresses subject to similar data processing?
No. Data relating to natural persons and data relating to companies are treated differently. The addresses of the type bianchi@company.it are counted as personal data, while those relating to companies of the type amministrazione@company.it they are not personal data.
10) Which companies must have a DPO?
The Data Protection Officer is a new figure introduced by the GDPR. Let's see which companies must have this figure within them and what their role is.
The subjects for which the DPO is mandatory are:
- Public entities
- Private companies that process sensitive and judicial data in a monitored and automatic way
- Subjects who carry out large-scale treatments
What role does the DPO play?
- Verify correct data processing
- draw up the Privacy Impact Assessment document
- evaluate that there are no risks deriving from data processing.
The art. 37 of Regulation 2016/679 lists the cases in which it is mandatory to appoint the DPO:
Article 37
Designation of the data protection officer
- The data controller and the controller systematically designate a data protection officer whenever: - The processing is carried out by a public authority or a public body, with the exception of the judicial authorities when exercising their judicial functions - The main activities of the data controller or data processor consist of treatments which, by their nature, scope and / or purpose, require regular and systematic monitoring of data subjects on a large scale; or - The main activities of the data controller or data processor consist in the large-scale processing of particular categories of personal data (sensitive data) or data relating to criminal convictions and offenses (judicial data). 2. A business group may appoint a single data protection officer, provided that a data protection officer is easily reachable from each establishment. 3. Where the controller or processor is a public authority or public body, a single data protection officer may be designated for several public authorities or public bodies, taking into account their organizational structure and size.