Italian DPA issues 2016 annual activity report – some interesting (and perhaps unexpected) information

Garante-privacy 2

On June 6, 2017, the Italian Data Protection Authority (DPA), the Garante per la Protezione dei Dati Personali, issued the annual report on its activity for 2016.

The DPA’s activity concentrated on computer crimes and cyber security; online profiling and social media; cyberbullying; fight against terrorism and mass surveillance; Big Data; use of new technologies in the workplace; Public Administration’s transparency and citizens rights; taxation and protection of taxpayers’ privacy; telemarketing; interception and protection of the data contained in judicial documents; protection of minors’ data; consumer rights; large public databases; right to be forgotten; guarantees for the international transfer of data to the US; and healthcare.

The English version of the report is not yet available. However, we extracted some numbers for you from the Italian text. Overall, there is a slight decrease in activities compared to 2015 but the number of notified administrative violations is higher

In 2016, the Italian DPA adopted 561 decisions (692 were adopted in 2015); answered 4600 questions, claims and reports (5000 were answered in 2015); decided 277 formal complaints (307 were decided in 2015), which mainly concerned banking and financial companies, public and private employers, the publishing sector (including TVs), credit reference agencies, Public Administration and providers of public services.

The Commissioners’ panel rendered 20 opinions to the Italian Government and Parliament, which concerned: police and national security activities, Public Administration computerization, taxation agencies, health data (44 opinions were rendered in 2015).

There is one figure that increased in 2016: the number of administrative violations. The Italian DPA notified 38% more administrative violations compared to 2015. Particularly, in 2016, the Italian DPA notified 2339 administrative violations in which a considerable portion concerned failure to notify data breaches suffered by telephone and Internet operators, followed by inadequate information to users on the processing of their personal data, unjustified retention of personal data, failure to adopt security measures or provide documents requested by the DPA, and finally, failure to comply with the DPA’s orders.

The administrative fines levied in 2016 by the DPA totaled about 3,300,000. In 2015, the fines totaled €3,500,000.

282 on-the-spot inspections were carried out in the private and public sector, partly in collaboration with the Privacy Squad of the Financial Police (Guardia di finanza). In particular, they concerned the data processed by car sharing companies, web and phone marketing, medical applications, online games and financial companies. An important operation that led to an 11 million fine connected to anti money-laundering investigations concerned the money transfer business.

The DPA’s front desk handled over 24,000 queries concerning, in particular, unsolicited promotional calls (33%), implementation of the GDPR (11%), the Internet, video surveillance, mail, fax and text messages, employer-employee relationships, and tax data. 25,600 queries were handled in 2015.

The Italian DPA’s 2016 report is available (in Italian) at…


For more information about how privacy is implemented in Europe, contact Francesca Giannoni-Crystal & Federica Romanelli.


Follow us on& Like us on