What is GDPR and what does the privacy code provide?

The GDPR (General Data Protection Regulation) is the EU Regulation 2016/679, which came into force on 25 May 2018, which regulates the processing of personal data within the European Union.

What does it provide? Privacy is a fundamental element because it regulates various sectors, from condominiums to work and healthcare. It is therefore important to respect the rules necessary to protect the processing of personal data.

What does the General Data Protection Regulation establish specifically? The rules on consent, information, right to be forgotten and limited data retention established by the GDPR, privacy code.

Privacy Code: what does the GDPR provide?

The European regulation on privacy (GDPR) which came into force on 19 September 2018 has brought several innovations to the old Code on the protection of personal data.

The main measures established in the text and currently in force concern:

• Explicit consent: the processing of personal data requires clear and specific consent from the interested party, except in cases where there are other legal bases (contracts, legal obligations, legitimate interests, etc.);
• Transparency and information: people must be clearly informed about how their data is collected and used;
• Right of access: interested parties can know what data is collected about them and how it is used;
• Right to rectification and erasure (“right to be forgotten”): data subjects may request the modification or erasure of their data under certain conditions;
• Data portability: it is possible to receive your data in a structured format and transfer it to another data controller;
• Restriction of processing: you may request the suspension of the processing of your data in certain situations;
• Obligation to notify breaches: in the event of a data breach, the competent authority (in Italy, the Data Protection Authority) and, in certain cases, the data subjects must be informed within 72 hours;
• Responsibility and security: data controllers must adopt adequate technical and organizational measures to ensure data protection

In general, the new provisions provide more stringent measures for company owners regarding the processing of personal data in their possession.

These rules specifically concern the "communication" and "dissemination" of data of natural persons. Therefore, administrative sanctions will be applied for failure to comply with the rules.

As regards minors, the new privacy regulation establishes that their consent is valid starting from the age of 16, before this age it is necessary for consent to be given by parents.

Another new feature introduced by the GDPR concerns the information notice which must now be clear and easy to understand. Furthermore, the new regulation establishes that in the case of personal data not collected directly from the interested party, the information notice must be provided within a period that cannot exceed 1 month from collection, or at the time of communication of the data.

Furthermore, the amendment provided for by art. 9 Processing in the context of the employment relationship through the provision "Information in the event of receipt of CVs" establishes that in the case of receipt of CVs sent by candidates, the information must be provided by employers at the time of the first useful contact, following the sending of the CV.

What data is protected by the privacy code?

The data that the privacy code protects are:

• personal data;
• sensitive and judicial data (special data).

personal data is information that identifies or makes identifiable a natural person and that can provide details on his/her characteristics, habits, lifestyle, personal relationships, health and economic situation.

Special data is the subset of personal data made up of sensitive data and judicial data.

sensitive data is personal data that reveals racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, as well as personal data suitable for revealing the state of health and sexual life.

Judicial data are personal data relating to criminal records, administrative sanctions resulting from a crime and related pending charges, or which reveal the status of defendant or suspect.

Data processing methods

The privacy code provides that the personal data subject to processing must be:

• processed lawfully and fairly;
• collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations in terms compatible with such purposes;
• accurate and, if necessary, updated;
• relevant, complete and not excessive with respect to the purposes for which they are collected or subsequently processed;
• stored in a form that allows identification of the interested party for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed.

Privacy Policy

The Privacy Code also provides for the obligation to inform those who release their personal data.

In particular, the person who decides to authorize the processing of their personal data must be informed in advance through a written or oral communication that must contain the following information:

• the purposes and methods of processing for which the data are intended;
• the mandatory or optional nature of providing the data;
• the consequences of any refusal to respond;
• the persons or categories of persons to whom the personal data may be communicated or who may become aware of it in their capacity as managers or agents, and the scope of dissemination of the data.

Once the interested party has received the information, the latter must give his consent for the processing of personal data.

Original article published on Money.it Italy. Original title: Cos’è il GDPR e cosa prevede il codice della privacy