My job allows me to attend many diverse workshops and events on GDPR. My overall impression is that most of the attendees have never really read a privacy legislation text, whether it’s the current legislation or the GDPR.
This state of things is quite detrimental because the questions asked are often absolutely irrelevant (for instance, the question about the right to be forgotten and the personal data processed on the basis of contractual obligations…) or the statements made show a fairly superficial knowledge of the matter (someone still confuses PROTECTION with SECURITY or claims that we moved from PRIVACY to personal data PROTECTION and forgets that the current Italian legislation is a Code on data PROTECTION as well) and much more.
Reading the legislative text is essential for those who are involved or will be involved in privacy issues within their company since the matter is very difficult and intricate and it requires synergies among different company roles. For example, the definition of a data retention periods policy must take into account the company’s IT architecture (see in this respect my post The period for which the personal data will be stored). ). Deciding to retain data for the only purpose that requires the longest retention period is formally incorrect. The reason is that technical and organizational measures must be implemented to avoid that the same information is used for other purposes with shorter retention periods, or that the same information is deleted if stored on multiple data bases that have diverse purposes and data retention periods.
The policy must be defined collectively with legals, the organization function and IT since the beginning. In this context, the organization function and IT should necessarily read carefully, personally and directly the legislation.
This is the only way to have a correct and comprehensive view of the implications of each requirement, preventing the risks of a PowerPoint effect [1].
In this context we should never forget that a comprehensive overview on privacy legislation is essential, while the focus has been only on the GDPR, forgetting that most of Legislative Decree 196/2003 isn’t directly affected by the new norms.
For instance, it is true that it is formally correct to deal only with data concerning involved parties while mapping with the aim of realizing a data treatments registry. For privacy legislation compliance nonetheless, it would be more appropriate to take into account also other parties, such as contracting parties and users, whose treatment is subject to other legislations and play a key role in marketing (see in this respect my post Marketing and GDPR).
In Italy, we’re used to one single legislative text that includes fulfillments prescribed by different European directives. Instead, we should start thinking in European terms and get used to read the real texts of directives.
This approach could be very useful to understand the importance of GDPR, which is more similar to Directive 95/46/CE than to our Legislative Decree 196/03 in many respects.
Such comparison could be a guide to the correct interpretation of the legislator’s will.
Let’s consider article 22 of GDPR Automated individual decision-making, including profiling and compare it with article 15 of the Directive 95/46/EC:
Directive 95/46/EC – Article 15 Automated individual decisions
1 Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.
2 Subject to the other Articles of this Directive, Member States shall provide that a person may be subjected to a decision of the kind referred to in paragraph 1 if that decision:
a) is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view; or
b) is authorized by a law which also lays down measures to safeguard the data subject’s legitimate interests.
GDPR – Article 22 Automated individual decision-making, including profiling
1.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2.Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
3.In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4.Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
The two articles are quite similar and honestly the directive’s wording at paragraph 1 seems more explanatory than the vague and cryptic wording of Section 14 Legislative Decree 196/03, which is probably known only by a few (also because there’s no sanction definition in case of non-compliance with that prescription, as often is the case with current regulations).
Section 14. Profiling of Data Subjects and Their Personality
1 No judicial or administrative act or measure involving the assessment of a person’s conduct may be based solely on the automated processing of personal data aimed at defining the data subject’s profile or personality.
2 The data subject may challenge any other decision that is based on the processing referred to in paragraph 1, pursuant to Section 7(4), letter a), unless such decision has been taken for the conclusion or performance of a contract, further to a proposal made by the data subject or on the basis of adequate safeguards laid down either by this Code or in a provision issued by the Garante in pursuance of Section 17.
Similarly, article 8 of Directive 95/46/EC describing special categories of data[2] is far more straightforward and similar to GDPR than to the complex formulation regarding sensitive data of Legislative Decree 196/03, with some exceptions relative to some integrations.
Directive 95/46/EC – Article 8 The processing of special categories of data
1 Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2 Paragraph 1 shall not apply where:
a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject’s giving his consent; or
b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or
c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or
e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defense of legal claims.
GDPR – Article 9 Processing of special categories of personal data
1.Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2.Paragraph 1 shall not apply if one of the following applies:
a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
e) processing relates to personal data which are manifestly made public by the data subject;
f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
Concluding, as I often say to my students, I invite you all to read carefully legislative texts in addition to attending conferences and reading articles.
[1] Presentations tend to simplify these concepts with the risk of reiterating wrong messages and incorrect interpretations of the norms.
[2] It has to be noted that the definition of special data instead of sensitive data is not something new, but it’s simply the reconfirmation of the wording adopted by the reference regulations.
(translated by Matilde Bobbio)