GDPR and Privacy Code
The right to the protection of personal data is a fundamental right of the individual protected by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data.
In particular, accoding to such regulation, each individual can claim that their personal data be processed by third parties only in compliance with the rules and principles established by law.
In Italy, the Privacy Code has been amended following the entry into force of the Regulation with Legislative Decree 101/2018, a regulatory instrument through which the main innovations proposed in terms of the processing of personal data by the European Legislator have been inserted.
Personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly.
Processing: any operation or set of operations carried out with or without the aid of automated processes, and applied to personal data or sets of personal data.
A legitimate processing is based on solid and well-defined regulatory bases in order to guarantee the individual that the processing of his/her data takes place in complete security and in compliance with his/her rights.
Principles applicable to the processing
In order for the processing of personal data to comply with the provisions of European and domestic legislation, it must comply with the following principles: (*)
- Lawfulness, correctness and transparency: lawfulness implies that the processing is supported by the so-called legal bases defined by articles 6 and 9 of the Regulation; the application of the principle of correctness can be better understood if we think of the meaning of the word fair in English, which refers to a conduct of loyalty and good faith that the owner must observe at all stages of data processing; transparency translates into the obligation to guarantee the full awareness of the interested party about the subject who processes his data, the way in which he processes them.
- Purpose limitation: it is the guarantee in favor of the interested party that his/her data will be processed only and exclusively for the achievement of the purposes for which they were collected;
- Data minimization: the interested party is guaranteed that only the data necessary to achieve the purposes will be processed;
- Limitation of storage: the data will be kept for a period of time necessary to achieve the purposes.
Principle of accountability
According to the principle of Accountability, privacy compliance of a preventive nature is one of the keystones of the GDPR.
The data controller must, therefore, be able to demonstrate that he/she has adopted measures – from legal to technical-organizational – aimed at guaranteeing the personal data of the interested parties.
Records of processing activities
The Records of processing activities, provided for and regulated by art. 30 GDPR, is that document drawn up in written, paper or electronic form, preordained to record all the processing activities carried out by the Data Controller and the Data Processor. The minimum conditions are indicated by the aforementioned article and it represents a suitable tool to verify the degree of accountability of the data controller (see point 1.3).
(*) The list contains the most relevant principles necessary to provide an illustrative and non-exhaustive explanation.