Data Advocacy for Italy

The Italian law applicable on privacy issues is the Legislative Decree no. 196 of 30 June 2003 (Codice in materia di protezione dei dati personali, the ‘Privacy Code’). The Privacy Code implements Directives 95/46/EC, 2002/58/EC and 2009/12/EC.

Law Applicable:

The Data Protection Directive (Directive 95/46/EC), the Directive on Privacy and Electronic Communications (Directive 2000/58/EC), the Directive on Data Retention (Directive 2006/24/EC) and the Cookies Directive (Directive 2009/136/EC) have been implemented by Legislative Decree no. 196 of June 30, 2003, which enacted a code on the protection of Personal Data (the “Code”). The Code is primarily intended to consolidate all pre-existing Italian data protection rules, which were replaced by the Code. Furthermore, the Code provides for additional protections for Data Subjects (defined below) and simplifies the applicable rules. The Code attempts to ensure consistency between privacy rules and other legal provisions applicable to various sectors. The Code combines the provisions of the former basic privacy law and subsequent amendments, regulations, and codes of ethics, as well as the case law precedents of the Italian Data Protection Authority.

The Code is organized into three parts:

  • the first contains general data protection provisions;
  • the second contains provisions applicable to specific sectors (e.g., judicial sector; public sector; health care sector; educational sector; processing for historic, scientific and statistical purposes; work and social security issues; banking, financial and insurance sectors; electronic communications; professionals and private detectives; journalism, literary and artistic sectors; and direct marketing); and
  • the third contains remedies and sanctions for breach of the Code.

The Code applies to the processing of information relating to “Data Subjects” as outlined below.

Garante per la protezione dei dati personali

Piazza di Monte Citorio n. 121 – 00186 ROMA

T +39 06.696771

F +39 06.69677.3785

www.garanteprivacy.it, the ‘Garante’

There is no legal requirement in Italy for organisations to appoint a data protection officer. There is no such privacy role under the Code. It is possible to appoint an internal Data Processor (Responsabile del trattamento) for managing privacy issues within an organization on behalf of the Data Controller. In case of third party service providers processing Personal Data in delivery of relevant services, they must be appointed by the Data Controller as external Data Processors.

Legislative Decree No. 69/2012 (implementing the Directive 2009/12/EC) amended the Privacy Code provisions in relation to breach notification by introducing:

  • the definition of ‘personal data breach’ (meaning ‘a breach of security leading to the accidental destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service’ – Section 4, par. 3, let. g-bis), and
  • new obligations in case of personal data breach.

In particular, in the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the Garante. When the personal data breach is likely to adversely affect the personal data or privacy of a contracting party or other individual, the provider shall also notify the subscriber or individual of the breach without undue delay.

Notification shall not be required if the provider has demonstrated that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

The notification to the contracting party or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach. The notification to the Garante shall, in addition, describe the consequences of, and the measures proposed or taken by the provider to address, the personal data breach (Section 32-bis of the Privacy Code).

The Garante extended mandatory breach notification requirements in case of data breach relating to processing in the framework of the Electronic Health Record and processing of biometric data.

The Code provides for an obligation of disclosure to Data Subjects and/or the Authority or other authorities in the event of a security breach limited to specific sectors (e.g., telecoms operators). In any case, the Data Controller is liable to compensate not only for monetary but also for moral damages caused by the data processing. Thus, also for companies not subject to a disclosure obligation under the Code, in the event of security breaches, organizations that are involved in a data breach situation should: (i) gather information about the breach; (ii) assess the potential risk of harm to the Data Subject(s); (iii) take steps to mitigate the harm to the impacted Data Subject(s); (iv) take steps to contain the breach and to prevent future similar breaches; (v) assist authorities with any investigation relating to the breach; (vi) and comply with data authority orders and court orders.

An organization that is involved in a data breach situation may be subject to a suspension of business operations; closure or cancellation of the file, register or database; an administrative fine, penalty or sanction; civil actions and/or class actions; or a criminal prosecution.

Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)

Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.

The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:

  • the recipient’s details were originally collected “in the context of a sale”.
  • the entity sending the marketing is the same legal entity that collected the recipient’s details initially.
  • the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.
  • the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.

Applicable Legislation:

Consolidation Act regarding the Protection of Personal Data (Data Protection Code – Legislative Decree No. 196 of 30 June 2003) (‘DPC’)

First party e-marketing

(entity that collects the data will send the e-marketing itself)

B2C: Opt-in. Opt-out permitted where Opt-Out Rule applies.

B2B: Opt-in. Opt-out permitted where Opt-Out Rule applies

Third party e-marketing

(entity that collects the data will share with third party partner for e-marketing)

B2C: Opt-in

B2B: Opt-in.

hotmail.it  5492470

libero.it  3691251

yahoo.it  1968674

live.it  1886100

alice.it  1161766

virgilio.it  1029394

tiscali.it  979421

tin.it  304341

email.it  247964

fastwebnet.it  214843

inwind.it  163649

sifree.it  68473

tele2.it  66983

interfree.it  64720

supereva.it  46368

aliceposta.it  45729

tiscalinet.it  45428

gmail.it  42085

vodafone.it  38535

infinito.it  38139

jumpy.it  32197

iol.it  32012

excite.it  31332

teletu.it  29522

poste.it  24210

badoo.it  17791

tim.it  17385

cheapnet.it  16807

simail.it  16349

freemail.it  14623

istruzione.it  12884

lycos.it  12464

aol.it  12060

fastwebmail.it  10643

hotmai.it  10296

otmail.it  9485

msn.it  8683

ibero.it  7946

outlook.it  7197

telecomitalia.it  6786

ngi.it  5802

blu.it  5568

homail.it  5190

superfree.it  4763

quipo.it  4668

aruba.it  4513

yhaoo.it  4195

gmx.it  4153

mail.it  4046

ciaoweb.it  3885

mclink.it  3701

hotmal.it  3415

fastweb.it  3229

htmail.it  3119

myspace.it  3083

ive.it  2954

katamail.it  2814

uniroma1.it  2797

unibo.it  2747

unina.it  2720

lice.it  2630

studio.unibo.it  2485

dnet.it  2432

hotmil.it  2431

unimi.it  2314

bank4fun.it  2299

tempmail.it  2272

tre.it  2230

rai.it  2100

unipd.it  1960

sigma-tau.it  1944

gdf.it  1903

hotmeil.it  1857

unito.it  1851

intrage.it  1833

wooow.it  1822

enel.it  1808

caltanet.it  1780

genie.it  1779

giustizia.it  1728

yaoo.it  1684

hoymail.it  1628

studenti.unipr.it  1606

bancamediolanum.it  1605

ymail.it  1596

leonardo.it  1578

gsmbox.it  1556

saipem.eni.it  1547

polimi.it  1542

unifi.it  1536

mail.wind.it  1522

bancafideuram.it  1500

banca.mps.it  1499

yahho.it  1461

libeo.it  1441

libro.it  1412

tesoro.it  1385

eni.it  1362

studenti.unimi.it  1315

bresciaonline.it  1293

polito.it  1280

iscali.it  1267

ahoo.it  1264

apss.tn.it  1248

eng.it  1242

dada.it  1235

lbero.it  1227

mybox.it  1212

iperbole.bologna.it  1178

racine.ra.it  1164

archiworld.it  1149

rcs.it  1136

mp4.it  1136

hotamil.it  1118

liberi.it  1110

aeronautica.difesa.it  1108

posteitaliane.it  1103

esteri.it  1092

hotmali.it  1089

liber.it  1088

yaho.it  1070

hotail.it  1070

lve.it  1059

mediaset.it  1049

hotmial.it  1047

hsr.it  1045

unisi.it  1036

deejaymail.it  1018

fastpiu.it  1015

liero.it  1013

unipv.it  1002

unife.it  1000

deloitte.it  983

neomedia.it  974

hotma.it  972

com.it  961

unisa.it  955

virglio.it  954

lastchaosita.it  937

landal.it  934

awn.it  932

e-mail.it  919

hot.it  906

example.it  877

20mail.it  874

hotmile.it  861

inail.it  859

unige.it  850

alitalia.it  848

liv.it  847

mondadori.it  845

kpmg.it  844

poliziadistato.it  842

camera.it  842

go4.it  835

hotamail.it  830

beniculturali.it  830

unipa.it  828

unimore.it  824

videobank.it  822

marina.difesa.it  808

h3g.it  808

esercito.difesa.it  806

davide.it  806

unime.it  794

hotil.it  781

ohtmail.it  780

mobileemail.vodafone.it  774

google.it  769

cisl.it  765

unicatt.it  759

skytv.it  756

lifegate.it  754

vigilio.it  742

mail.tim.it  729

univr.it  725

virgilo.it  723

pec.it  718

unipr.it  714

vizzavi.it  706

galactica.it  704

yhoo.it  699

unimib.it  692

hormail.it  692

reply.it  690

hotemail.it  684

adecco.it  684

iss.it  678

unive.it  675

seat.it  673

pfafineco.it  671

trenitalia.it  668

comune.torino.it  661

notariato.it  659

postino.it  655

luiss.it  650

uniroma2.it  647

unict.it  647

uno.it  637

student.unife.it  637

ateneopv.it  634

unicredit.it  631

aliceadsl.it  629

unical.it  626

wind.it  621

datech.it  620

comune.roma.it  617

flashnet.it  605

unipg.it  600

hptmail.it  600

uniroma3.it  591

unina2.it  587

interno.it  582

unibocconi.it  579

rocketmail.it  577

rfi.it  576

li.it  575

allianzbank.it  571

rgilio.it  568

faswebnet.it  565

libe.it  562

unica.it  560

regione.emilia-romagna.it  559

tao.it  558

yaooh.it  554

mail.polimi.it  548

freedomland.it  547

remax.it  544

italtel.it  538

rm.unicatt.it  537

istat.it  535

liro.it  530

tiscli.it  527

love.it  522

adriacom.it  521

htomail.it  516

hitmail.it  515

uniss.it  513

carabinieri.it  513

vigilfuoco.it  511

lombardiacom.it  511

enea.it  509

studbocconi.it  504

dispose.it  504

ciao.it  500

kataweb.it  499

uniud.it  486

ice.it  486

webmail.it  481

yahooo.it  480

aen.ansaldo.it  479

jubii.it  478

alce.it  477

hotmaill.it  475

azimut.it  474

virgiglio.it  473

univpm.it  471

technet.it  471

despam.it  471

facebook.it  467

tecnocasa.it  460

pippo.it  458

tiscal.it  457

legalmail.it  457

sssup.it  456

virgili.it  455

akfree.it  449

people.it  443

edison.it  442

unich.it  437

hotimail.it  434

regione.lazio.it  423

ticali.it  416

2009.it  415

bpm.it  411

sella.it  410

allianz.it  410

in.it  405

altavista.it  405

comune.milano.it  403

llibero.it  402

biofutura.it  402

hotmsil.it  399

hotmail.it.it  399

alica.it  398

gruppohera.it  396

creval.it  396

tele.it  395

credem.it  395

asf.toscana.it  391

ospedaleniguarda.it  388

regione.sicilia.it  382

gimail.it  381

aci.it  381

unicampus.it  376

ausl.bologna.it  374

repubblica.it  371

naoc.agip.it  371

jahoo.it  370

hatmail.it  370

electrolux.it  370

almavivaitalia.it  369

gotmail.it  368

coldiretti.it  367

tailoradio.it  365

emai.it  365

fincantieri.it  363

hottmail.it  362

aceaspa.it  356

regione.lombardia.it  355

livi.it  355

laiv.it  354

autostrade.it  354

manpower.it  352

mail.gte.it  352

basilicatanet.it  352

aopoma.it  351

hotml.it  348

llive.it  346

uniurb.it  345

asmn.re.it  345

sns.it  344

finanzaefuturo.it  342

freeinternet.it  341

bancaintesa.it  340

ve.it  339

terna.it  338

units.it  334

studenti.unipd.it  333

inps.it  333

hotmaile.it  333

liberto.it  332

unicam.it  331

remails.it  329

istitutotumori.mi.it  329

sanita.padova.it  328

hotmailo.it  328

life.it  326

crs.lombardia.it  326

condenast.it  326

hootmail.it  322

aorncaserta.it  322

viriglio.it  319

maciste.it  318

pf.bancagenerali.it  317

lhotmail.it  317

sogei.it  316

sirti.it  316

poliba.it  315

ulss.tv.it  312

tiscai.it  312

campus.unimib.it  312

senato.it  311

intefree.it  310

sicilyonline.it  308

alic.it  308

unifg.it  307

unitn.it  305

hotmait.it  305

studenti.polito.it  304

homtail.it  304

creanet.it  304

sdabocconi.it  303

galliera.it  303

unibg.it  302

snamprogetti.eni.it  302

mip.polimi.it  301

box.it  299

alie.it  298

fondiaria-sai.it  297

comune.fi.it  297

bancaditalia.it  297

stradeanas.it  296

ngweb.it  296

vipnet.it  295

inrete.it  294

gucci.it  294

regione.sardegna.it  293

liva.it  293

oksatcom.it  292

tecnimont.it  291

linero.it  291

io.it  290

ahtm.it  289

studenti.unitn.it  288

libera.it  286

foxmail.it  286

cnr.it  286

cariparma.it  285

libeto.it  284

regione.piemonte.it  283

lave.it  283

gop.it  282

hotnail.it  281

hotmaili.it  281

ausl.mo.it  281

ti.it  279

liberoflat.it  278

box.enel.it  277

pegasomodels.it  275

provincia.roma.it  274

hot-mail.it  274

inpdap.gov.it  272

hoitmail.it  271

unirc.it  269

tisali.it  268

comune.bologna.it  268

regione.fvg.it  267

unitus.it  266

q8.it  266

popso.it  266

asbz.it  266

ab-computer.it  265

lie.it  264

popvi.it  263

lottomatica.it  263

hotmmail.it  263

cambielligroup.it  263

barilla.it  262

mediolanum.it  261

esempio.it  261

studenti.unina.it  259

siram.it  259

fsm.it  258

dolcegabbana.it  258

provincia.tn.it  257

ischia.it  257

surftribe.it  256

altran.it  256

comune.venezia.it  254

iuav.it  253

guest.telecomitalia.it  252

unicreditbanca.it  251

publitalia.it  251

ieo.it  251

mbe.it  250

database.it  250

cdh.it  250

bticino.it  250

agx.it  249

livel.it  248

iahoo.it  247

tisca.it  246

elbalink.it  246

yahoo.com.it  245

unicas.it  245

aosp.bo.it  245

unisalento.it  244

bb44.it  244

oneonline.it  243

fastwenet.it  243

casaccia.enea.it  243

skype.it  242

csi.it  241

cia.it  241

agenziaentrate.it  241

mit.gov.it  240

jrc.it  240

governo.it  240

mail.win.it  239

vodafon.it  238

angelini.it  238

aice.it  238

laive.it  237

alleanza.it  237

ospedaleuniverona.it  236

uninsubria.it  235

unimc.it  235

numerica.it  234

comeg.it  234

barclays.it  234

uniparthenope.it  233

provincia.milano.it  233

idffy.it  233

yoo.it  232

wifi.e4a.it  232

ali.it  232

vrgilio.it  231

unibas.it  231

tsf.it  231

merda.it  231

hotlive.it  231

me.it  230

alcatel-lucent.it  230

90.it  230

sermetra.it  227

unimo.it  226

tifososscnapoli.it  226

consultant.vodafoneomnitel.it  225

unibz.it  224

uniba.it  224

humanitas.it  224

ferrari.it  224

benetton.it  224

sacmi.it  223

regione.toscana.it  223

regione.veneto.it  222

provincia.torino.it  222

manutencoop.it  222

hayoo.it  222