Italian DPA published the annual report on its activity
On 2 July, the Italian Data Protection Authority published its annual report on its activities.
The document highlights the main aspects on which the Authority focused in the last year, dominated by the Coronavirus emergency and the issues underlying the processing of health data in the context of the epidemic.
The topics on which the Authority’s activities have focused are:
- the ethical aspects of the use of new technologies;
- data economy and the capitalization of personal data;
- the protection of the data of minors;
- big data;
- AI and algorithms;
- facial recognition technologies.
To provide an idea of what the activity has been, here are some numbers:
- 1387 data breaches;
- 57 million fines for telemarketing;
- 38 million fines collected;
- 278 injunctions issued.
A new judgment on the issue of the proof of damage to privacy
The Italian Supreme Court, in a decision issued last June, confirmed that damage to privacy cannot be considered in “re ipsa“, as it does not consist in the mere infringement of the interest protected by the law, but in the prejudicial consequences of such infringement. The Court concludes that proof of the damage can also be provided through presumptions.
New fine for telemarketing
In a recent decision, the Italian Data Protection Authority has fined a company for 3 million € for failing to verify that transfers of recipient data were covered by adequate consent.
The Authority has specified that the consent, initially given by a data subject to a company also for promotional activities of third parties, cannot extend its effectiveness also to subsequent transfers to other data controllers. Such transfers would not be supported by the necessary specific and informed consent of the data subject.
Privacy in the workplace: municipality fined
On 13 May, the Italian Data Protection Authority fined a municipality for € 84,000. In the measure, the Authority stated that it is not lawful to monitor workers’ internet browsing in an indiscriminate manner. Regardless of specific union agreements, any monitoring activities must always be carried out in compliance with the Workers’ Statute and privacy regulations.
The measure was issued following a complaint by an employee who, during disciplinary proceedings, discovered that he was constantly monitored by the municipality.
Investigations revealed that the municipality had been using a system for monitoring and filtering employees’ internet browsing for about ten years, storing data for a month and creating reports for network security purposes.
These data processing operations were deemed excessive in relation to the purposes pursued, since there was a preventive and generalised collection of data relating to connections to websites visited by individual employees.