Italy

Senior management and organisation

Please identify the authority’s senior management.

The Italian data protection authority is composed of the board and the secretary general. The secretary general supervises the organisation of the different departments and services of the authority.

Please see the internal organogram at www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/5459135&zx=kdf5vy5i6fk3.

When was the head of the authority appointed?

President Antonello Soro and the other three members of the board were appointed by the Italian parliament in June 2012.

How long is their term of office?

Their term of office is for seven years, and this is non-renewable.

What is the process for nominating the head of the authority?

According to article 153 of Italy’s Data Protection Code (Legislative Decree No. 196/2003), the board is composed of four members appointed by parliament. The president of the authority is appointed from among its members.

What was the authority’s budget for the most recently-available financial year?

According to Act of Parliament No 145/2018 and Ministerial Decree of 31 December, the authority’s estimated budget for 2019 is €30,127,273. Details of the 2018 budget is available at www.gpdp.it/home/trasparenza/bilanci/bilancio-preventivo-e-consuntivo/bilancio-preventivo-e-relativi-documenti-2018.

How many data protection/privacy-focused staff does the authority employ?

The authority employs 127 persons.

Contacting the authority

How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.

In case of a personal data breach companies may contact the authority, by certified email, at [email protected] providing all the relevant information detailed in article 33(3) of the GDPR.

How and where should companies or their advisers contact the authority to start the binding corporate rules approval process? Please specify individuals, email addresses, URLs for online forms, etc.

They may contact the authority by certified email at [email protected]. The unit competent for starting the approval process of BCRs is the Service for EU and International Matters.

What other contact information should companies and their advisers be aware of?

For any other request, including those of a general nature, the Authority can be contacted at [email protected]

Legal and enforcement framework

Can you search premises or force the disclosure of information without having to approach the courts?

Yes, except for inquiries carried out at a person's home or in another private dwelling. According to article 158(4) of the Data Protection Code, the controller's or processor's informed consent or the authorisation from the competent judge is required to search these premises.

What fines can you impose on companies that breach data protection rules?

The administrative fines that the authority can impose are provided by article 83 of the GDPR, and by article 166 of the Data Protection Code.

What other measures can you take against companies that breach data protection rules?

Corrective powers under article 58(2) of the GDPR.

What emergency or interim measures can you take pending the full conclusion of your investigations?

The authority can impose a temporary or definitive limitation, including a ban on processing.

Priorities and the future             

Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?

The authority has      issued a list of the types of processing operations that are subject to the requirement for a data protection impact assessment according to article 35(4) of the GDPR (published in the Official Journal, no. 269, 19 November 2018).

It also recently verified the compliance of the rules on professional standards with the GDPR (processing of personal data in journalistic activities, storage and historical research, scientific research and statistics, defensive investigations). These rules have also been published in the Official Journal; see www.gpdp.it/web/guest/codice.

Would you like to see further reforms to your laws (beyond GDPR implementation legislation, if applicable) or to your enforcement framework? If so, what?

According to article 154 of the Data Protection Code, the authority shall promote, in compliance with the provisions contained in the GDPR and in the national Code, simplified arrangements to fulfil the obligations placed on controllers of SMEs by way of guidance.

Italy has yet to sign the Council of Europe’s modernised Convention 108+ on the protection of personal data.