Author Archives: Cesare Gallotti

About Cesare Gallotti

More than 15 years of experience in information security and IT process management. Italian representative in ISO/IEC SC 27 WG1 international meetings for writing ISO/IEC 27000 standard family. Activities in Italy, Europe, Asia and Africa, for companies of various sizes and market sectors. Consultancy, training and audit for: information security, quality, compliance with legal requirements (Personal Data Protection, SOX, etc.), compliance with international standards (ISO 9001, ISO/IEC 27001, ISO/IEC 20000, ISO 22301, etc.), and processes improvement.

How to engage processors

Articles 28 and 29 of the GDPR require a “by a contract or other legal act” in order to engage a processor. Such document must include: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects; the confidentiality agreement; assurance that… Read More »

Notification to the supervisory authority

GDPR (Privacy European Regulation) does not require “notification to the supervisory authority” for special data processings. Such notification was required by previous Directive 95/46/CE. In fact, notification of special processing processings is considered an obsolete tool and, as written in introductory clause 89, “did not in all cases contribute to improving the protection of personal… Read More »

Direct marketing

Today in some States there is the opt-out option for the use of public data for the purpose of direct marketing. In some case, data subjects need to declare their right not to be called on telephone numbers on public directories. The new Privacy european regulation (GDPR) does not allow this procedure. Explicit consent need… Read More »

Practical alternatives to Safe Harbor

The European Commission issued a guide for transferring data outside of the EU after Schrems’s sentence: http://europa.eu/rapid/press-release_MEMO-15-6014_en.htm. We now have two ways: using contractual clauses or binding corporate rules (BCR). These two methods are applicable to all transfers to Countries for which there is not an authorization by the European Commission or a local privacy… Read More »

Processors and sub-processors

Current Directive 95/46/EC does not regulate sub-processing. A controller can choose a processor, but a processor cannot choose a sub-processor. As a result, many processors chose sub-processors and designated them as their own processors. These cases should have been discussed in the last 20 years, considering that supply chains are getting longer. The last GDPR… Read More »

The PIA concept from directive 95/46 to the current draft of the EU – Conclusion

In two previous posts, I’ve presented some of the ideas for planning and execution of PIA process and report. Risk assessment is a very useful tool for management decision. Unfortunately someone promotes too much complex risk assessment methods that don’t help any management decision, but only increase the time and effort for analysis and don’t… Read More »

The PIA concept from directive 95/46 to the current draft of the EU – Part 2

Further developments After the first wave of PIA methods, in the last two years, further ideas have been proposed. Unfortunately, they introduce complexity, instead of help for controllers, processors and operators. In 2014 European Commission ruled on smart grid and promoted another model for PIAs. This model has theoretical errors (e.g. “feared events” and “threats”… Read More »

The PIA concept from directive 95/46 to the current draft of the EU – Part 1

First developments  Privacy impact assessment (PIA) is more and more cited in news and technical documents. This article is a first attempt to analyse the first significant contributions on this subject and has no aim of completeness. Present EU Directive 95/46 on data protection requires to data controllers and processors to have measures to “ensure… Read More »