Italy - Data Breach Guide

Italy

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

Yes, in particular:

• Notification of a personal data breach to the data protection authority is governed by Article 33 of the (EU) Regulation no. 2016/679 ("GDPR"); and
• Communication of a personal data breach to data subjects affected is governed by Article 34 of the GDPR.

Please refer to the chapter on the European Union, since the Italian regulatory framework in matter of personal data breaches is governed by the relevant GDPR provisions.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

Please refer to the chapter on the European Union, since the Italian regulatory framework in matter of personal data breaches is governed by the relevant GDPR provisions.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Content of the notice

The notice shall contain the information listed in Article 33 (3) of the GDPR.

Please refer to the chapter on the European Union, since the Italian regulatory framework in matter of personal data breaches is governed by the relevant GDPR provisions. In any case, the notification must not include details on the data subject affected by the data breach (e.g. do not provide the names of the persons involved in the data breach).

1.3.2 Time period in which notice must be given

According to Article 33 (1) of the GDPR, the data controller shall notify the personal data breach to the Italian Data Protection Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Please refer to the chapter on the European Union, since the Italian regulatory framework in matter of personal data breaches is governed by the relevant GDPR provisions.

1.3.3 Method of giving notice

The notification must be sent to the Italian Data Protection Authority by certified e-mail to protocollo@pec.gpdp.it or by ordinary e-mail to protocollo@gpdp.it and must be signed digitally (with qualified electronic signature/digital signature) or by handwritten signature. In the latter case, the notification must be submitted together with a copy of the signatory's identity document. The subject of the message must necessarily contain the words "NOTIFICATION OF PERSONAL DATA BREACH" and optionally the name of the data controller.

In the absence of a complete framework on the data breach occurred, the data controller may initiate the notification, reserving to carry out a subsequent supplementary notification.

With its Provision on the notification of personal data breaches of 30 July 2019, the Italian Data Protection Authority has provided a standard form to file the notification, composed by the following sections:

• Kind of notification (preliminary, complete, supplementary, according to Article 33 of the GDPR, according to Article 23 of the Legislative Decree no. 51/2018);
• Section A: Data of notifier;
• Section B: Data controller:
  • Section B1: Contact details for information about the data breach;
  • Section B2: Further subjects involved in the data breach and the relevant privacy role (e.g. joint controller, data processor or representative).
• Section C: main information on the data breach;
• Section D: details on the data breach;
• Section E: description of likely consequences and gravity of the data breach;
• Section F: measures taken to address the personal data breach;
• Section G: communication to data subjects;
• Section H: other information.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

According to Article 83 (4) lit. a) of the GDPR, failing to notify is subject to administrative fines up to EUR 10,000,000 or, in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Furthermore, failing to notify may result in a fine and strict liability in tort action.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Yes, according to the territorial scope set forth by Article 3 of the GDPR, the relevant provisions apply, in general, to the processing of personal data of data subjects who are in the Union (including, of course, in Italy), regardless of whether the data controller or the data processor is located in the same country of the data subjects.

Please refer to the chapter on the European Union, since the Italian regulatory framework in matter of personal data breaches is governed by the relevant GDPR provisions.

1.6 What are the applicable (data protection) laws or guidelines within your country?

The main national data protection laws and regulations are:

• Legislative Decree no. 196/2003, as subsequently amended by the Legislative Decree no. 101/2018 ("Personal Data Protection Code");
• Legislative Decree no. 65/2018 in implementation of (EU) Directive no. 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (so-called "NIS");
• Legislative Decree no. 51/2018 in implementation of (EU) Directive no. 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data;
• Provision on the notification of personal data breaches issued by the Italian Data Protection Authority on 30 July 2019.

1.7 Contact information for the local Data Protection Authority:

For more information, contact: