We are not obviously talking about technical roles, endowed with administrative privileges, but rather about roles stated with Decision of Italian DPA: Measures and precautions prescribed to data controllers of electronic processes concerning functions of the system administrator – November 27 2008 and subsequently modified with decision on June 25th 2009. Such Decision, as is… Read More »
Within analysis of the system of sanctions in GDPR, focus is usually set on the significant figures provided for by article 83, which succeeds reaching Controllers and Processors with administrative fines up to 20 millions euro or up to 4% of global annual turnover. Article 83 General conditions for imposing administrative fines … 4. Infringements… Read More »
As is well known the GDPR provides no clear guidance on how to demonstrate its own conformity and this poses a number of non banal challenges to entities that process personal data. Between various possible tools that could be considered (while awaiting more detailed guidelines) there is the use of a series of measurable parameters… Read More »
First advice: the regulations should be read; it is not enough merely to consult a few articles or to follow one or two conferences to understand what is necessary to do. The authors and the relaters bring their own interpretations, often very debatable. Simply by reading the regulatory text you can actually understand what is… Read More »
One of the faults of the current legislation, that has been maintained in GDPR, is the use of the same term for both the internal data processors in an organization (usually managers or officials) or external ones (generally outsourcers companies or service providers). Leaving out the current consequences of these definitions we take into account… Read More »
One of the possible future consequences of the entry into force of the GDPR will be the likely disappearance of minimum measures, a well-defined list of security measures that surely had the merit of spreading the knowledge of basic security concepts. The concept of minimum measures was properly introduced to avoid that with a simple… Read More »
A substantial difference between the GDPR and the current 196/03 legislation regards the obligations for the Data Controller and Data Processor to guarantee continuous access to data. The current privacy legislation takes care of the issue mainly in Appendix B, where the minimum measure number 23 reads (cites): 23. Appropriate measures are taken to ensure… Read More »
The general conditions for the processing of personal data are given in Decree 196/03, in particular in section 3 Section 3 (Data Minimisation Principle) Information systems and software shall be configured by minimising the use of personal data and identification data, in such a way as to rule out their processing if the purposes sought… Read More »
In my courses on privacy I’m fond of saying that the Italian regulation protects against gossip. A friendly manner to highlight (what is not well known) that the Privacy Code must be respected by all citizens, who are not only protected persons, but must themselves respect the privacy policy. In fact, the d.lgs 196/03 states… Read More »
Much has been discussed about the right to be forgotten introduced by the new EU Regulation. But is it really something new? The wording of Article 17 Right to erasure (“right to be forgotten”) in the new EU Regulation is all but linear, with constant references to other articles, so its’ interpretation in some places… Read More »