Privacy 2016: updates and expectations.

C
Careers
- If you are interested
  in joining us,
  you can submit your application
  filling the form
- form
@
Contacts
- info@blblex.it
- MILAN
  Via Carducci, 38
  T. +39 02 36 51 55 80
  F. +39 02 36 51 55 81
  milano@blblex.it
- ROME
  Palazzo Origo
  Via di Torre Argentina, 21
  T. +39 06 35 40 16 37
  F. +39 06 35 40 23 51
  roma@blblex.it
- DESKS
  asiandesk@blblex.it
  usadesk@blblex.it
  spanishdesk@blblex.it
- START UP
  startup@blblex.it

Friday 27 November 2015
Privacy
Europa, Italia, USA

In the last months we have seen numerous news and updates about the regulation for the protection of personal data. These changes have affected both the Italian and the Community legislation. It is believed that, in 2016, these innovations will bring many consequences to the lives of operators both individuals and companies.

The biggest news that is expected between the end of 2015 and early 2016 is the issue of the new European regulation on privacy. The new regulation will allow the harmonization of rules on protection of personal data and will apply uniformly in all EU member states; furthermore, the new regulation will involve the introduction of new rules relating to technological evolution, social networks, big data (data collection expanded in terms of volume, speed, variety), and moreover the introduction of a new professional not contemplated in the current Italian legislation, the so-called "data Protection Officer" that is responsible for the protection of personal data.

The “data Protection Officer” is supported by a professional of the highest importance in the privacy organization of any corporate structure: we are talking about the “Controller of data processing”. This important professional, behind special authorization, performs materially "any operation or set of operation, carried out even without the aid of electronic instruments, concerning the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, circulation, erasure and destruction of data, even if not registered in a database "(article 4, paragraph 1, let. A).

In Italy it is not mandatory for companies to adopt a professional to take care of the management of personal data; instead, in the US there is a widespread tendency to adopt professionals with technical skills. These professionals supervise all the procedures regarding the processing of information; moreover they intervene in case of problems like the risk of destruction or loss of data; unauthorized access, unauthorized or non-conforming access to the collection of personal data.

Today it is clear that “Privacy legislation” is evolving; we are confident that next year the “Privacy legislation” will provide us other talking points.

We now focus on the Italian situation; in Italy the latest update on the processing of personal data concerns the introduction of the new “Code of conduct” for the processing of data for commercial purposes, binding on all operators who conduct business within commercial companies.

The new Code, issued by the Authority for the protection of personal data, by resolution of September 17^th , 2015, and published in the Official Journal No.238 of October 13^th 2015, will enter into force October 1, 2016.

The Code, promoted by the Guarantor, was drawn up by different businessmen and consumers associations.

We have to wonder about which category of persons the new code takes effects. The new privacy legislation concerns an important sector of the internal market: the area of activity of commercial companies that collect, process and store commercial information, and provide information services and/or valuation.

Clear intention of the Authority was to simplify and streamline the obligations regarding public or freely communicated information, communication and storage of information, the exercise of the rights from interested parties and information security. The new Code identifies all the guarantees relating to the processing of personal data with a view to ensuring the certainty and the transparency of information in trade relations, the good flows of collected information, as well as the updating of personal data processed.

The observation of the code of conduct contained in the Code, is the essential condition for the correctness of data processing carried out by both private and public entities.

Who is going to draw up a dossier of commercial information on the activity of entrepreneurs or business managers must collect data and information with respect to certain limits, researching and doing investigations relating to persons or legal entities that have had a direct connection with the manager or the entrepreneur in question; furthermore, one must indicate the source of information about the person surveyed (Article 2).

Moreover, you can use information and data collected from sources accessible to anyone, for example newspaper or telephone directories; furthermore, will also be used personal information from the so-called public sources: public records, documents or records, financial statements contained in the commercial register at the Chamber of Commerce, as well as the personal information provided directly by the parties.

Personal data will be used without the consent of the interested parties, as required by the Privacy code (Article 5). The processing of personal data must take place within the limits of knowable, usability and advertising; moreover, commercial companies must continue to update commercial information on its website have to make a commitment to update regularly on its website, in compliance with the national legislation (art.3-4).

Operators will also be able to investigate and find only relevant and not excessive information in relation to achieving of commercial purposes.

One of the most important news related to Privacy code is “Safe Harbor”.

"Safe Harbor" agreement, published in the Official Journal of the November 26^th , 2001, allows US companies to use the same standards for the management of personal data both in the US and Europe.

In the judgment No. C-362/14 (Maximillian Schrems / Data Protection Commissioner), the European Court of Justice said that the agreement is not valid. In the Decision of July 26^th, 2000, the European Commission considered that, in the context of the "safe harbor", the US would guarantee an adequate level of protection of personal data processed; the judgment of the European Court of Justice, against the decision of the Commission, has the effect of giving more power to the national authorities for the protection of privacy. National authorities should therefore verify, at the request of the interested parties, if the data transfer from Europe to US takes place in accordance to personal rights . If the data transfer will be judged inadequate, the data transfer will be blocked.

Commercial companies can still lawfully transfer information using other instruments provided by the privacy regulation, such as contact terms and BCR (Binding Corporate Rules).

We believe this subject is extremely topical. Today companies like Facebook, Google, Microsoft base their business on moving files through its operational bases around the world; there are about 4,500 companies that benefited from the rules contained in the “Safe harbor” agreement.