Last October, the Data Protection Authority provided a range of significant clarifications on two of the main requirements – extremely important aspects of accountability – introduced with European Regulation 679/2016 on data protection and privacy (“Regulation”):
(i) the Data Processing Register, in response to the FAQs published on 8 October on the Data Protection Authority’s website, and
(ii) the Data Protection Impact Assessment (“DPIA”), as provided in Measure No. 467 of the Data Protection Authority, issued on 11 October.
Data processing register
According to the Data Protection Authority, the “Register of processing activities” (“Register”) – as provided in article 30 of the Regulation – must contain all key information concerning the processing activities completed by the Controller. The document must be in written or electronic form and is the first document to be promptly made available on request of the Data Protection Authority or during an inspection.
The Data Protection Authority has extended the pool of subjects that are required to keep the Register, so as to include all businesses that process personal data on a non-occasional basis (regardless of the number of people employed), commercial or craft establishments with at least one employee, self-employed professionals, associations and foundations and, lastly, condominiums, where “special categories” of data are processed.
The Data Protection Authority has pointed out that the Register must contain the required level of “minimum information”, specifically:
– the purpose of each processing operation. In this regard, the recommendation is to also indicate the legal basis for processing, in addition to specifying the purpose for each type of processing (processing of employee data to manage the employment relationship; processing of supplier contact details when managing orders). The following recommendations are also made, again in reference to the legal basis: where “special categories of data” are processed, indicate one of the conditions set out in art. 9, par. 2 of the Regulation; where data relating to criminal convictions and offences are processed, indicate the specific provisions (national or EU) under which the processing is allowed pursuant to article 10 of the Regulation;
– the categories of data subjects (e.g. customers, suppliers and employees) and the categories of personal data (e.g. personal details, medical information, biometric data);
– the categories of recipients to whom the data are disclosed (other controllers to whom the data are disclosed, including their category, for example, to social security institutions to fulfil payment obligations). The Data Protection Authority also advises that it would be appropriate to indicate any other persons to whom – as processors or sub-processors – the data are disclosed (e.g. to payroll processing companies). This is to ensure that the Controller has knowledge of the number and type of entities to whom data processing operations are assigned;
– any transfer of data to third countries, indicating the Countries/the Third Parties to which the data are transferred and the safeguards applied in accordance with the Regulation;
– the period for which the personal data are stored (e.g. in the case of employment relationships, the data must be stored for 10 years from the date they were last recorded) and, lastly,
– a general description of the (technical and organisational) security measures put in place for each processing operation, including the possibility to reference external documents of a generic nature (e.g. internal procedures) to allow a more comprehensive assessment.
The Data Protection Authority has reiterated that the Register must be updated on an ongoing basis so that its contents reflect the actual situation of the processing operations carried out. In essence, any changes must be immediately recorded in the Register and explained.
The Processor is also required to keep a Register of the processing operations. The Data Protection Authority has clarified that the keeping of such Register must comply with the following:
– if the Processor is acting on behalf of customers who are separate and autonomous controllers (e.g. software house company), the information set out in article 30(2) of the Regulation must be recorded in the Register in reference to each of the aforesaid controllers. In this case, the Processor will divide the Register into the same number of sections as the number of autonomous controllers on behalf of which he/she is acting or, alternatively, a reference can be added, for example, to a customer (controller) information card or database containing a description of the services supplied to them. The customer information cards should in any event contain the information required under article 30(2) of the Regulation;
– having regard to the “record of all categories of processing activities carried out”, a reference can be made to the contents of the contract of appointment as processor, which, pursuant to article 28 of the Regulation, should set out, in particular, the nature and purpose of the processing, the type of personal data and categories of data subjects and the duration of the processing;
– likewise, in the case of sub-processors, the Register of the processing operations carried out by them can specifically reference the contents of the contact entered into between the sub-processor and the Processor pursuant to article 28 of the Regulation.
Data protection impact assessment
Measure No. 467 of the Data Protection Authority provides a list of 12 types of processing activities in relation to which a Data Protection Impact Assessment (DPIA) must be carried out. Such requirements are therefore in addition to the provisions contained in article 35 of the Regulation and in the guidelines issued by the WP29 (now European Data Protection Board), as provided in 2017.
The DPIA is a particularly delicate operation in terms of “privacy compliance”, since it requires the Controller to carefully assess and consider the related technical and organisational measures, which must be able to prevent risks to the rights and freedoms of the natural persons concerned.
In addition to the three examples given in article 35 of the Regulation – profiling, systematic monitoring of a publicly accessible area on a large scale and processing on a large scale of special categories of data (formerly, “sensitive data”) – there are nine other cases, as listed in the WP29 guidelines, for which the DPIA is mandatory. The Italian Data Protection Authority has provided further clarifications in this respect.
In detail, the Data Protection Authority requires that a DPIA is carried out in advance for the following categories of processing:
– evaluation-type processing, scoring on a large scale and profiling;
– Automated-decision making with legal or similar significant effect for the data subjects (e.g. screening customers of a bank using information obtained from a central credit register);
– processing that enables the systematic use of data for observation and monitoring purposes (e.g. online or using apps);
– processing on a large scale of strictly personal data (e.g. emails) or which have impacts on fundamental rights (location, which if collected may affect freedom of movement);
– processing in the context of employment relationships, using technological means (e.g. video surveillance or geolocalisation) that enable the remote monitoring of an employee’s activity;
– processing that involves vulnerable data subjects (minors, people with disabilities, etc.);
– processing with innovative technologies (IoT or AI);
– processing that involves the exchange of data between several controllers, on a large scale;
– processing by means of interconnection or similar methods (e.g. mobile payments);
– processing of “special categories” of data or, in any event, concerning criminal convictions;
– systematic processing of biometric data and, lastly, genetic data.
From a “comparative” perspective, compared to the French Data Protection Authority (CNIL), the Italian Authority does not make specific reference to processing in relation to “whistleblowing systems”.
It should be noted, however, that the list of the 12 types of processing – due to be published on the Italian Official Journal – is not an exhaustive list: while the DPIA is required when at least one of the 9 cases listed in the WP29 guidelines is present, it can (and should) be also carried out whenever deemed necessary by the Controller.