In Europe, 2020 is becoming a crucial year for data protection. The enforcement mechanisms of data protection authorities are becoming increasingly active. In Italy, for example, the Italian DPA, Garante, began the year with some very significant fines. Provisions No. 231 and No. 232, issued on December 11, 2019, and published on January 17, 2020, were imposed against one of the world's leading oil companies. Similarly, Provision No. 7, issued on January 15, 2020, was imposed against a high-level telecommunications operator. These examples show the Italian supervisory body imposing penalties of €11,5 million and €27,8 million, respectively. These are record administrative fines, not only for Italy, but also for other countries. among the highest From Europe so far.

These decisions leave no doubt as to the approach the guarantor and other national authorities intend to take in this new era of personal data protection. Law enforcement is not an easy game, and sanctions are not the objective of the EU General Data Protection Regulation. The main scope of the GDPR is to promote accountability and improve awareness of the issue of personal data processing at any level. These provisions represent a valuable opportunity for professionals to question the status quo of the issue, remembering the importance of considering each final position as merely a starting point.

Regarding consent for marketing

The Italian Data Protection Authority (DPA) emphasizes the centrality of consent as the legal basis for conducting commercial communications. The consent of data subjects is the only appropriate option for pursuing marketing and telemarketing purposes, without prejudice to the opt-out regime as regulated by national legislation. Consent must also be free of charge, as it cannot be linked to the provision of programs that offer a service to the data subject (i.e., subscribing to a loyalty program to obtain discounts). At the same time, commercial communications carried out under service notices are considered illegal. In its provisions, the Authority also focuses on the disclosure of data to third parties. In other words, it categorically excludes the "cascade effect" of consent that would allow any subsequent transfer of data between other non-legitimate data controllers. Finally, the Authority noted the importance of keeping consent separate according to the different purposes pursued (for example, a single consent for marketing and profiling is illegal). And this is another crucial point: profiling is still considered a different purpose from a means of processing.

About data processors

The guarantor requests that data controllers verify and monitor the impartiality of the conduct of designated data processors and demonstrate their compliance with applicable laws. Therefore, data controllers need to demonstrate that they have provided call centers with scripts and operational instructions to be used during calls.

The rights of data subjects

Several profiles are considered in these provisions regarding the position of data subjects. For example, the data controller must be able to... receive and manage The data subject's request to exercise their own rights, particularly their right to object and consent to withdrawal. The data controller must also provide appropriate technical measures that ensure adequate representation of the data subject's request in the company's databases and customer relationship management.

Technical and organizational measures

The importance of having automated systems that ensure constant alignment between the CRM and the list for receiving objections to promotional activities is highlighted, thus maintaining a real-time update of consents in the CRM. Therefore, controllers need to evaluate online platforms and tools to identify and correct any vulnerabilities in the services before they are made available to the public. Important observations are also made with reference to 1) the computer authentication system of users (user passwords on websites must be more than eight characters long, are subject to automatic quality control that prevents "weak" passwords and limits the number of attempts to access the site with incorrect passwords to prevent brute-force attacks); 2) network protocols (the adoption of secure https/hypertext transport protocols is necessary to access all website content, not just the homepage, based on a digital certificate issued by a recognized Certification Authority); and 3) how to store passwords of users registered on online platforms.

Is the GDPR still alive?

Notwithstanding the above, a debate is growing regarding the potential shortcomings of the GDPR from an enforcement perspective. Perhaps the one-stop-shop mechanism is taking off more slowly than expected; perhaps the coordination procedure between EU data protection authorities is not yet efficient and effective. The GDPR is a complex, comprehensive, and uniform piece of legislation shared among 28 EU countries. A substantial delay in enforcement and the imposition of heavy sanctions of up to 4% of the global annual turnover of data controllers were expected and anticipated. However, the success of multinational legislation, such as the GDPR, is not equal to the quantity and quality of sanctions issued. Rather, it should be measured proportionally to the broad level of compliance achieved worldwide.

Source: Rocco Panetta