The Italian Data Protection Authority sanctions an Italian television platform for illegal promotional calls
For making illicit promotional calls, the Italian Data Protection Authority ordered a television platform to pay a fine of 3.200.000 €, and, in addition, prohibited the further processing of data for promotional purposes made from lists acquired from other companies. Among the critical issues raised by the Authority there is, above all, the making of promotional calls lacking in information and consent, using unverified lists, acquired from other companies.
The State Council has rejected an appeal lodged by some teachers against the Ministry of Education aimed at the suspension of Decree 6 August 2021, n. 257, with which the Ministry has imposed school staff to access the buildings with green certification. The State Council has considered that the green pass does not violate privacy, nor does it represent discrimination. The judges, in particular, highlighted that the alleged complaints cannot be valid as they are contradicted by the transposition of the indications of the Authority that stipulate that the verification Apps do not know nor retain the personal data of the citizens, thus not affecting their privacy.
Mobile phones, smartwatches, fitness trackers and wireless toys. IoT is now an integral part of everyday life. The use of such tools leads to a continuous and massive processing of personal data which necessarily has a strong impact on issues such as confidentiality and information security. That is why the European Commission intervened on 29 October with a delegated act on the Radio Equipment Directive, laying down new requirements for cybersecurity and setting a number of general objectives, which manufacturers of specific categories of radio equipment must take into account in the design of products as pre-ordered to:
- improve network resilience by providing wireless device manufacturers with the development of capabilities to prevent damage to communications networks;
- protecting consumer privacy through the implementation of new measures to prevent unauthorized access or transmission of personal data;
- reduce the risk of monetary fraud in electronic payments by developing features that ensure better control of user authentication.
From the Italian Data Protection Authority tips to choose passwords and store them safely
By press release of 25 October 2021, the Italian Data Protection Authority published a vademecum with several tips on the choice and storage of passwords used to access online services.
The new vademecum explains how to choose a valid password, how to manage it, and how to keep it. In any case, according to the Authority, a good password:
- must be long enough (at least 8 characters);
- must contain uppercase letters, lowercase letters, special numbers and characters or user name references;
- shall not contain any commonly used whole words or “camouflaged” words;
- should be changed frequently;
- should not be used for more than one account.
The Italian Data Protection Authority gives a positive opinion on the Agid guidelines on the IO App
The Authority has often intervened to regulate the correct use of the IO App, as last summer he identified some critical issues related to the transmission of data to third countries. The dialogue with the Authority on the IO app has been successful, and on the basis of this, he then expressed a favourable opinion on the outline of guidelines prepared by the Agency for Digital Italy (Agid), agreeing to the rules governing telematic access to public administration services, including through the use of the IO App. The document in question defines the way in which the system is set up and operated, enabling the PA services to be made available to users.
Particular attention was paid to the measures and guarantees adopted to implement the access point in compliance with the principles of privacy by design and privacy by default, with specific regard to the processing of health data and personal data relating to criminal convictions and crimes, and the ways of integrating the telematic access point with other digital platforms.
The Italian Data Protection Authority sanctions a University for remote student control
The Authority, with the injunction order of 16 September 2021, fined a University for 200,000 euros. The university has been accused of violating the GDPR by using “Lockdown Browser” and “Respondus monitor” software to monitor students during testing. Such software were banned as being unduly invasive: the former was used to monitor students via video, and the latter prevented them from seeking answers online during testing, thus violating student privacy.
The Italian Data Protection Authority sanctions a Municipality that has published data of citizens positive to covid
The Authority has sanctioned a Municipality that violated the legislation on the protection of personal data, by spreading on its Facebook page and on the institutional website, personal data and information of persons subjected to the buffer, or positive results to the Covid-test19, or quarantined.
The Municipality has defended itself believing to have diffused the data for request of the interested parties that «Being small entrepreneurs or professionals, with many contacts, they asked the administration to make their positivity known in an attempt to stop or control the contagion» and they gave their consent. However, the Municipality’s justifications have not been fully accepted as they are not consistent with the rules on the protection of personal data.
Green pass on the workplace: green light of the Authority to new methods of verification
The Authority has expressed a favourable opinion, to the new Dpcm of 12 October, on the new methods of verification of the Green pass on the workplace.
For the Authority the verification of the possession of the Green pass of the workers to physically access the workplace, can also be carried out through further modalities from the app Verifica19.
On the one hand, the Authority authorizes the use of development packages (SDK) issued by the Ministry with an open source license, to develop software to be integrated into access control systems, on the other hand, provides, only to public administrations with more than a thousand employees, an interoperability applicative service with the National Platform-DGC.