The new Guidelines for Data Protection Officer
On 29 April Italian Data Protection Authority, issued a guidance document containing important indications on the figure of the DPO.
The document contains interesting information regarding the actual role of the DPO within the holder’s structure, as well as specifications on:
- professional experience that the DPO is required to have;
- incompatibility with other roles;
- possible conflicts of interest.
Algorithm’s transparency: a new decision by the Italian Supreme Court
The Italian Supreme Court, upholding an appeal by the Italian Data Protection Authority, stated that in the case of the use of an algorithm to determine a reputation profile of users on a digital platform, consent is not sufficient per se where there is no absolute transparency on the algorithm’s operating scheme. In the absence of this, the processing must be considered unlawful as consent cannot be considered validly given.
Vaccinations at work: new guidance from the Italian Data Protection Authority
The last month, the Italian Authority adopted a guidance document on vaccination in the workplace, which became necessary when the Italian government opened up the possibility of vaccinating against Covid-19 within the workplace.
This raises several issues from the point of view of personal data protection and, for this reason, the Authority has specified that:
- it is necessary that the actors involved (employer, competent doctor, appointed health personnel), operate in compliance with the roles identified by the GDPR;
- employers can’t process personal data relating to the vaccination of their employees;
- at the moment, until further indications are given, the processing finds its lawfulness in the necessity for purposes of preventive medicine.
Scientific information and patient privacy: the measure of the Authority
On 15 April, the Italian Data Protection Authority has fined a local health agency for failing to ensure the confidentiality of a patient’s data in the context of certain scientific publications.
The Authority pointed out that, in the case of scientific publications, patients’ consent must always be obtained beforehand and their data anonymised.
Surveillance cameras and facial recognition: the Authority’s doubts about a new municipal video system
In the last few days, the Italian Data Protection Authority opened a preliminary investigation against a municipality which had launched a project for the implementation of several intelligent video surveillance systems, capable of performing a recognition of the data subject concerned. Despite assurances from the municipality that the system will not process biometric data, the Authority thus confirms its prudential stance (in line with the approach of the European Commission and the EDPB) towards facial recognition systems.