On 19 September Legislative Decree No. 101/2018 entered into force (the “Decree”), laying down provisions to align the national regulatory framework to European Regulation 679/2016 on personal data protection (“GDPR”).
The Decree gives the Data Protection Authority (the “Authority”) broad powers as well as significant duties, such as the review of some codes of professional conduct and the issuing of specific guidelines that promote simplified “privacy compliance” methods for micro, small and medium-sized enterprises.
Moreover, the decree includes a series of provisions that specify certain powers and duties that fall on the Data Controller and Data Processor. Among them, they are allowed to hold roles and tasks assigned to personnel inside the company who pursuant to previous regulations could be defined – depending on the case – as data processors or persons in charge of data processing.
The Decree confirms the exception to the information obligation in the case of CVs voluntarily submitted by the data subjects to establish an employment relationship. It remains understood that the data subject shall be provided with suitable information note at the time of the first actual contact after submission of the CV. In addition, it is confirmed that consent to the processing of personal data contained in a CV is not required, as long as the processing takes place for contractual or pre-contractual purposes.
Furthermore, the Decree provides for cases of limitation of the rights granted to the data subjects when – if they are exercised – among other things actual and material damage may derive (i) to the interests protected on the basis of anti-money laundering regulations and (ii) to the confidentiality of the whistle-blower notifying an offence of which he/she may have become aware as part of his/her role.
The GDPR allows the member States to define, without prejudice to the administrative fines established, additional penalties “as long as they are effective, proportionate and dissuasive” as well as “capable of ensuring the application of the Regulation”. The Decree confirmed also some specific offences included in the previous regulations. These include the unlawful processing of personal data, which now envisages only a slight reduction in the maximum penalty from 24 months to 18 months, or the breach of the regulations on the matter of remote monitoring and surveys on the opinion of employees.