Italy: Integrating the GDPR Into Law
Italian privacy law incorporated the EU General Data Protection Regulation as of September 19, 2018. Employers and other interested parties should be aware of the following:
- Rather than removing the existing Italian Privacy Code and replacing it with GDPR legislation, the Italian government amended the existing Italian Privacy Code to align it with the GDPR, replacing whole sections by means of cross-references to the GDPR. This resulting text is confusing, may not be fully aligned with the GDPR and may contain contradictions.
- Employers should to review their processes at least every two years, as the Italian Data Protection Authority will be issuing a list of additional requirements to be observed in the processing of genetic, biometric and health-related data.
- Additional restrictions will be placed on employers that seek to conduct criminal-record checks.
- There is a potential conflict in how direct marketing is treated, with consent still required under the Italian Privacy Code (with criminal sanctions possible for any breach), whereas the GDPR permits direct marketing on the basis of legitimate interest.