The general regulation on data protection in acronym GDPR (General Data Protection Regulation), officially regulation (EU) n. 2016/679, is a European Union regulation on the processing of personal data and privacy, adopted on 27 April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May of the same year and operational from 25 May 2018.
With this regulation, the European Commission aims to strengthen the protection of personal data of citizens of the European Union (EU) and EU residents, both inside and outside the EU borders, by returning citizens control their personal data, simplifying the regulatory context concerning international affairs, unifying and making homogeneous the privacy legislation within the EU.
The text also addresses the issue of exporting personal data outside the EU and obliges all data controllers (including those with registered offices outside the EU) who process data of EU residents to observe and comply with the obligations foreseen. Since its entry into force, the GDPR has replaced the contents of the Data Protection Directive (Directive 95/46 / EC).
“The proposed data protection regime for the EU extends the objectives of the European data protection law to all foreign companies that process European resident data regardless of where they process them and their registered office. It allows for harmonization the different data protection regulations across the EU, thus facilitating compliance by non-European companies; however, this has been achieved at the cost of a regime that provides for strict data protection regulations, with strict penalties that can reach 4% of the global turnover. ” Following negotiations in the trialogue between the European Parliament, the European Commission and the Council of Ministers, a general consensus was reached on the wording of the GDPR and on the financial penalties for non-compliance.
The proposal for the General Data Protection Regulation presented some passages which were not confirmed in the final version. Instead, it favorably considered the introduction of privacy by design (the privacy requirements must be included in the design of the system), privacy by default (the privacy measures must be implemented by default) and that of the principle of the personal nature of the address IP. Both principles were then incorporated into the regulation.
As a premise to the exposition of the articles of law, the regulation contains a long list of recitals, also numbered in sequence, and cited with “C” followed by the number of the recital.
The regulation focuses (art. 24) the concept of accountability translatable into “(proactive) accountability” or, better, “(responsibility of having to) give an account” by the owner (and his managers / sub-managers) to the interested party.
The regulation applies to the processing of personal data, and to the non-automated processing of data stored in an “archive”, defined (articles 2 and 4) in a similar way to the expression “data bank”, present in the Italian privacy code. (Italy has adapted to European legislation through legislative decree no.101 of 10 August 2018). Furthermore, unlike the current directive, the regulation also applies to companies and entities, organizations in general, with registered offices outside the EU that process personal data of residents of the European Union. This also regardless of the place or places where the archiving (storage) and processing (server) systems are located. The regulation does not concern the management of personal data for national security or public order activities (“the competent authorities for the purposes of the prevention, investigation, detection and prosecution of crimes or the execution of criminal sanctions”). According to the European Commission “personal data is any information relating to an individual, connected to his private, professional or public life. It can concern any personal data: names, photos, email addresses, bank details, interventions on social media websites. network, medical information or computer IP addresses. “.
This legislation is not specific by type of support, this means that the information and related data can be: oral / verbal, paper / material, digital / intangible and their combinations.
The regulation governs the processing of personal data only of natural persons (including those of natural persons treated in a professional or associative context or similar situations or in relations between companies, bodies and associations) and therefore the data are excluded from the application of the code. identification and similar of subjects having legal personality: corporations, companies and public bodies, associations and foundations, or in any case organizations in general even without legal personality as defined in Italy. This does not apply to sole proprietorships, because in this case personal and professional identities coincide. In practice, the field of application concerns the personal data of natural persons processed in any activity (professional, economic, public interest, associative, etc.) with the exception of domestic / non-professional life (except for the online publication of data personal data of natural persons, even if in the personal or domestic context, as it is an indistinct disclosure).
The personal data provided or communicated may relate to third parties (with respect to the interested party) or processed by third parties (with respect to the owner). The GDPR defines third party as “the natural or legal person, public authority, service or other body other than the data subject, the data controller, the data processor and the persons authorized to process personal data under the authority direct of the owner or manager “. For the processing of data relating to third parties or provided to third parties (communication to recipients), the information must be specified and the responsibilities must be defined and the compliance of the processing by the data controllers involved must be certified. A particular treatment such as “dissemination” must also be foreseen or excluded in the information.
On the basis of the principle of establishment, its rules apply to the processing of personal data carried out by owners and managers established in the European Union, without any relevance for the place where the treatment is carried out or for the place where it is located. the data subject.
The regulation, on the other hand, does not apply in the following cases:
- processing carried out for activities that do not fall within the scope of EU law;
- processing carried out by Member States in the exercise of activities falling within the scope of Title V, Chapter 2, of the EU Treaty (foreign policy and security);
- treatments carried out by the competent authorities for the purposes of prevention, investigation, detection or prosecution of crimes or execution of criminal sanctions, including the protection against threats to public safety and the prevention thereof (see Directive 2016/680);
- treatments carried out by a natural person for the exercise of exclusively personal or domestic activities (see exemption for personal use).
Data definitions in the current directive are expanded and characterized and new ones added. Therefore, in addition to personal data, we find genetic, biometric and health-related data, in any case all information that allows the univocal identification of a natural person.
- Personal data (Article 4 paragraph 1): information relating to an identified or identifiable natural person. The novelty lies precisely in the identification criterion, the person can be identified directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of his physical, physiological, genetic, psychic, economic, cultural or social identity; in a question, the European Commission replies that “various information that, collected together, can lead to the identification of a particular person constitutes personal data”: this is the concept of profile (behavior, habits, history) that becomes given personal while not containing, in itself, a specific identification data of a particular subject; in particular, speaking of personal data, it is necessary to distinguish between direct identifiers (for example: tax code) and indirect identifiers (for example: IP address, date of birth and / or place of birth); metadata are among the indirect indicators that can lead to precise profiling and therefore to the identification of a physical subject; the definition of personal data is relative, i.e. it depends on the context: in a group of 10 people the date of birth of a subject is very likely to be a direct identifier while in a group of 1 million people it is almost certainly not;
- Particular personal data (or sensitive according to the Italian privacy code) (Article 9 paragraph 1): personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, are considered relating to the person’s sexual life or sexual orientation, as well as:
- Genetic data: inherited or acquired, obtained through DNA and RNA analysis from a biological sample of the natural person in question;
- Biometric data: such as the facial image, thanks to which it is possible to identify one and only one natural person;
- Health data: both physical and mental, past, present or future, but also information on health care services, where present, regardless of the source, such as, for example, a doctor.
- Personal data relating to criminal convictions or offenses (Article 10): the processing of personal data relating to offenses or convictions must take place under the control of the public authority or if it is authorized by Union law.
- Not any confidential information (taken individually) relating to a natural person is “personal data”, although it is sometimes superficially believed. Only information that could reveal the identity or properties (profile, behavior, history, location, etc.) of a person are personal data; in practice, depending on the context, in one case only one element could be personal data (for example the tax code or IP address), in others the union (aggregate or not) of two or more data is required to constitute a personal data (for example information relating to the habits of a person): in this case, for the definition of personal data, this information could reveal the identity of the person without explicitly containing any direct identification data (name and surname, photograph of the face, fingerprint, etc.)
- As reported above, the GDPR and privacy in general only apply to the personal data of natural persons: the personal data of organizations are not protected by the regulation;
- The privacy rules are not implemented only by companies, public administration bodies, self-employed workers: the vast and articulated world of associations, foundations, committees, organizations and various bodies whether or not they are part of the third sector must comply with the GDPR and the related regulations ;
- Often “privacy” is confused with “confidentiality” (or “confidentiality”) which are two distinctly distinct concepts and framed by different doctrines and laws; invoking privacy regulations for the protection of secret information or confidential business and professional data is totally unfounded.