The Italian Data Protection Authority releases its Report on 2016 Activities: Data breaches and commercial exploitation of data are increasingly under the spotlight

Background information/Scenario

On June 6th the Italian DPA published the Report on Activities 2016 during 2016 and on the implementation and enforcement of privacy legislation. The report aims at evaluating the past actions and indicating the prospected actions, also in view of the application of the new EU General Data Protection Regulation from May 2018.


Main issues

The Authority indicates the most relevant interventions of 2016. It starts with listing some of the main areas of action:

– computer crime and cyber security;

– online profiling and social media;

– risks on the Internet and cyberbullying;

– the fight against terrorism and mass surveillance;

– Big Data;

– the use of new technologies in the workplace;

– public administration transparency and guarantees to citizens;

– taxation and the protection of the taxpayers’ privacy;

– telemarketing;

– wiretapping and the protection of procedural documents’ data;

– child safety online;

– consumer rights;

– large public databases;

– the school sector;

– the right to be forgotten;

– the guarantees for transferring data to the US; and

– healthcare.


It emerged that cyber security compliance is particularly under the spotlight, with the DPA conducting proactive investigations and receiving 15 data breach notifications from public administration bodies and 43 from private bodies (see DPA’s information page, guidelines and decisions on data breach notification). Moreover, the DPA has devoted particular attention to the detection and punishment of unlawful data processing related to marketing activities (especially telemarketing) and online profiling activities. As examples of successful actions, the DPA mentions the obligations imposed to Google and Facebook aimed at ensuring online data protection.

In 2016 a number of codes/guidelines, including the Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes and the Guidelines on processing personal data in performing credit collection activities entered into force.

At the international level, it is noteworthy that the Authority has also been active on the debate surrounding the Internet of Things, joining an international investigation on data protection issues in relation to recent IoT developments. Furthermore, in 2016, the DPA engaged in the definition of guidelines in view of the application of the EU General Data Protection Regulation in Italy. The Italian DPA, together with the other EU Authorities, participated in the development of relevant guidelines: the Article 29 Working Party’s Guidelines on the Data Protection Officer, on Data Portability, on the Lead Supervisory Authority, and on the Data Protection Impact Assessment). The Authority has also been working with the Council of Europe on the revision of Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and has drafted Guidelines on Big Data with the Council. It is also interesting to highlight that the DPA entered into cooperation agreements with the DPAs of Eastern-European countries in order to exchange information and perform joint investigations.

The Authority in the Report underlines its prolific activity through figures. For example, in 2016 alone, 282 inspections were carried out by the DPA concerning both the private and public sectors, 2.339 violations were prosecuted and € 3.289.896 sanctions collected.


Practical actions

Companies have to intensify their work in order to align their data protection compliance framework to the provisions of the EU General Data Protection Regulation.

A great deal of attention should be paid to the implementation of adequate security measures and the correct management of possible data breaches.

The commercial exploitation of data (e.g., Big Data & Analytics) is under the spotlight of the Italian DPA and profiling and marketing activities should be carried out on a solid legal compliance basis which must be demonstrable at any time upon request of the Authority or of the data subjects.

, ,