Informazionefiscale.it reported an interesting interview with Marco Menegazzo, commander of the Special Privacy Unit of the Italian Guardia di Finanza, who spoke during the Privacy Day Forum held on May 25, 2018, and which dealt with privacy, sanctions and checks under the GDPR.
Which checks will be carried out by the Italian authority under the GDPR? Mr. Menegazzo highlighted the concept of accountability and how it will drive the investigation phase. The Italian police authority will verify whether the company or the professional can support – with documents or logical reasoning – the privacy measures that have (or haven’t) been adopted. Even the choice not to do a certain thing (failure to appoint DPO, failure keeping the Register) has to be explained in order to be justified.
Starting date. Privacy verification by the Italian Guardia di Finanza begun on May 25, 2018. This date is not only the day in which the GDPR enters into force, but also that in which the control activity of the Italian police authority started. Specifically, the inspections will start immediately on the mandatory and fundamental obligations set forth by the GDRP, which include:
- data protection officer, DPO’s appointment;
- adequate measures in case of data breach (including also those accidental and occasional loss of data, such as the theft of a PC and so on);
- register for the processing, this will be the basis of the inspection activity, from which the Guardia di Finanza will start to evaluate the measures implemented for the privacy protection.
The central role of the DPO. It will be fundamental for the company to account for the assessments made. In this sense, the role of the Data Protection Officer (DPO), the person in charge of data protection is fundamental. It wasn’t clarified how privacy controls will be carried out in SMEs, where DPO’s appointment is not mandatory.
Sanctions: the Guardia di Finanza will verify if there is any violation. However, only the Garante per la Privacy, the Italian Data Protection Authority, will actually sanction the violations.
If the DPA will deem the application of the sanction necessary, the elements collected during the investigation phase will ensure that it can be applied in an effective, proportionate and dissuasive manner.
The full text of the article is available in Italian at https://www.informazionefiscale.it…
For more information, Francesca Giannoni-Crystal and Federica Romanelli