Ethically GDPR

By | Friday March 24th, 2017

On last 15 March, during the three-days Clusit Security Summit, has been held in a full room of Atahotel Expo Fiera Rho-Pero, a meeting entitled “Practically GDPR” presented and moderated by Dr. Vallega in the formula of the “round table” with speakers – in addition to the president of Clusit – from companies representative of the Italian economic environment

This post is not intended to recap the event so I will just say that the meeting was structured on a general presentation of the EU Reg. 2016/679, followed by testimonies of the implementation of GDPR in specific companies, with a question time dedicated to the participants. Among them, one in particular has struck me: “the ethical aspect of GDPR, i.e. what you do / you could do, to emphasize – following the correct adjustment privacy – even the ethical values linked to world of privacy “.

The matter would be, therefore, not only to implement the legislation but also to give a view that allows to emphasize and highlight attention detailed aspect of values underlying to the same

The first thing I would say is that the norm in most parts pays attention to the ethics, but we are generally more concerned by operations. And omit both the inspiring motives that led to the issue of certain rules (like the “considering”) and a more careful reading of the clauses of law, not only focused on the “how / what to do” but also tp the deep meaning of the rule. To illustrate the above example is sufficient to read the article. 45 EU Reg 679/2016 on data transfer to non-EU territory based on an adequacy decision which reads: A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred”

So, it is the legislation itself to place primarily attention to the respect of human rights and fundamental freedoms, and to emphasize the contents of the clause above, it is directly demanded to the EU Commission to consider and then adopt the implementing deeds (see Article 45, paragraph 3, reg. 2016/679)

A first solution, therefore, to underline the ethical aspect in companies’ privacy compliance frame may be to highlight in the relevant documentation not only the procedures but also the inspirational basis of the same.

But not only

In fact, to really give an ethical perspective to privacy management system of a single entity, it could be advisable to compare the regulations and international standards present in the company and related to the issue, in order to create a single integrated system

To this aim it would be interesting to compare privacy legislation, compliance programs pursuant to Legislative Decree no. 231/2001 (with particular reference to crimes like those against the human personality), and, in my opinion, the SA 8000 international standard,  listing the requirements for ethical behavior of companies and the production chain

From the results of this activity – obviously also integrated with all the remaining items required by GDPR – you could have not only a good tracking and a good mapping of data èrcessing (also useful for the preparation of the RPA former Article 30 Reg. 2016/679) but also a program serving a greater emphasis on ethics and moral duties… and the way to give evidence to third parties is short … so, in my opinion, also the company committed in an operation of this kind would benefit and would be able to stand out on the market.

Laura Marretta

Category: Legal framework Tags: , , , , , , , , , , , , , ,

About laura.marretta

Avv. Laura Marretta Dopo aver conseguito la Maturità Classica presso l’Istituto Marcelline di Milano e la Laurea in Giurisprudenza presso l’Univeristà Cattolica del Sacro Cuore diventa Avvocato del Foro di Milano ed è Partner dello Studio Legale Internazionale Romolotti Marretta dal 2006. Svolge la propria attività professionale con particolare riferimento ai settori della Privacy e Data Security, Tutela del Segreto Industriale, Diritto della Moda, Energy, e Sistemi di Organizzazione Aziendale (normative UNI CEI ed ISO) nonché in ambito di Certificazioni e Marcatura CE. Svolge il ruolo di DPO presso enti associativi di rilevanza nazionale nonché per conto di società del settore industriale e dei servizi. E’ relatrice presso corsi e convegni sul territorio nazionale, con specifico riferimento ai settori della privacy e della video security. Collabora in pubblicazioni nazionali ed internazionali ( tra le quali numerose edizioni annuali di Doing Business edito dalla World Bank Maturità Classica at Istituto Marcelline of Milan, Graduated in Law at Univeristà Cattolica del Sacro Cuore, Attorney at Law of the Milan Bar, is a Partner of Romolotti Marretta International Law Firm since 2006. Her professional activity is focused on Privacy and Data Security, Trade Secret Protection, Fashion Law, Energy Law, Enterprise Organization (UNI CEI and ISO standards), Certification and CE mark. She is DPO in associations at national level and companies of the industrial and services areas. Speaker at seminars and conferences with specific reference to privacy and videosecurity law, she is a contributor in national and international publications, included several editions of Doing Business edited by World Bank (

One thought on “Ethically GDPR

  1. Giampaolo Franco

    Concordo pienamente! Il tema dell’etica e della responsabilità sociale delle aziende che trattano i dati delle persone viene messo in secondo piano. E’ molto difficile costruire la consapevolezza e l’etica aziendale, perché si deve lavorare sulla coscienza delle persone e non sugli aspetti tecnici ed organizzativi. Darò sostegno a questa tematica con i prossimi post!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.