New Assoprovider Webinar for Members: with legal experts Elisabetta and Vincenzo Gallotto, we discuss the Obligations of Providers in Personal Data Management.

Privacy Code, GDPR, European Electronic Communications Code: there are numerous Italian and EU laws that regulate the management of users' personal data online.

How to navigate? 

We discussed it in the new webinar of the independent internet providers association, with lawyers Elisabetta and Vincenzo Gallotto from the Gallotto law firm.

The event will be introduced and moderated by the Vice President of Assoprovider, Marcello Cama.

In conclusion, there is room for updates on the association's battle regarding the anti-piracy law.

You can review the full recording of the webinar on Assoprovider's official YouTube channel:

The management of personal data in the electronic communications market

The day's proceedings are inaugurated by lawyer Vincenzo Gallotto, who focuses on the practical aspects for ISPs in the management and processing of personal data.

In 2018, Regulation 2016/679 came into effect, changing the approach to personal data processing from static to dynamic, based on the principle of the so-called responsabilità.

In essence, the regulation tells us that it is no longer the legislation that dictates what we, as providers, must do in managing personal data. Instead, it is the entity responsible for processing the data, based on the type of activity it undertakes, that must implement a series of technical and organizational measures capable of adequately processing the data.

This approach has led to the identification of the implementation of a privacy model, which each operator must draft to ensure that processing is carried out in compliance with privacy regulations.

The risk of a data breach must thus be minimized as much as possible, should it not be possible to eliminate it entirely.

The journey begins from a valutazione preliminare: in this phase, the data controller conducts a preliminary review of the processed data, identifying the purposes for which they are processed and the methods of processing..

At this point, the operator must identify a series of procedures and security measures aimed at the proper management of data. Processes that the internal staff of the structure will have to follow to limit the risk of violations.

Here, employee training on these types of dynamics also becomes essential.

What activities should be concretely implemented?

• Preparation of the record of processing activities, which has a dual role: identifying all data processing carried out in the company by the data controller and those carried out as the data processor. Among other obligations, it is important to remember to keep, in the register, telephone and telematic traffic data for administrative purposes.
• Signing of agreements with any data processors (companies, entities, and legal persons that process data on behalf of the data controller). In the case of the ISP, the data processor could be the provider of a service all'ingrosso.
• Identification of internal subjects to the company, authorized for data processing and related training.

It is important to focus on the record of processing activities. It is indeed the first document that, in case of an audit, is requested by the Privacy Guarantor. The latter, when conducting a check on an operator, will certainly focus on two elements: in addition to the register of processing activities and its updating, the focus will be on the presence, or absence, of the DPO (Data Protection Officer).

The doubt remains whether an operator is actually obliged to appoint a DPO. On this point, lawyer Vincenzo Gallotto comments:

«My advice for operators is: if possible, identify and appoint the DPO within the company. If, for some reason, this is not possible, it is necessary to prepare to document, in the event of a possible inspection by the Garante, the reasons why this appointment was not made.».

The Privacy Organizational Model in practice

With lawyer Elisabetta Gallotto, we now move on to the practical aspects of complying with the principle of accountability introduced by our colleague.

First and foremost, we start with a definition of the Privacy Organizational Model (MOP). This represents a specific practical tool that allows the Data Controller to choose and manage responsibly and independently the obligations related to personal data protection.

In essence, it establishes in an orderly and structured manner the procedures, measures, documents, and rules for the proper management of personal data within a corporate organization.

It is therefore an important support tool, in the event of inspections by the Garante, to demonstrate compliance with the GDPR, but also to conduct audits that may come from third-party clients.

In practice, the steps to be followed by the data controller to create an effective and legally compliant privacy model are:

• Identify the risk associated with the processing;
• Secure data processing activities;
• Implement appropriate technical and organizational measures to ensure that processing is carried out in accordance with the GDPR;
• Release the information notice to the data subjects (customers, employees, website users, etc.);
• Attend to the exercise of the data subject's rights;
• Appoint the data processing officer;
• Monitor compliance with the appointment contract of the Data Processor.

It is important to understand, explains the lawyer, that there is no pre-filled template of such Model, as it must be tailored to the specific structure of each company.

To structure the MOP, it is necessary to consider:

• of the nature of the processing;
• of the context of the processing;
• of the purpose of processing;
• risks with varying probability and severity for the rights and freedoms of natural persons;
• of the state of the art and the costs of implementing measures appropriate for the protection of personal data, as well as the scope of the processing.

Although, as mentioned, it is not possible to standardize the drafting of the Manual, it is possible to identify some minimum elements within it, such as: 

• a general operating manual (with regulatory provisions, the corporate privacy organization chart, types and descriptions of processing, etc.); 
• the specific procedures to be implemented, for example, for risk assessment, for the impact of the planned processing (DPIA), for managing requests from data subjects and authorities, in case of data breach and so on; 
• i documents, acts, and templates to be used to map the processing activities, appoint and instruct the data processors, appoint and instruct third parties, and so on; 
• the information on processing data to be made available to the different categories (customers, employees, suppliers, website users, candidates, visitors, etc.).

It is essential, specifies the lawyer, that The Model should be brought to the attention of all parties who, in various capacities, are involved in personal data processing activities. Especially with regard to the procedures to be adopted in specific cases. For example, consider the case of a security incident; in such an event, answers to questions like 'Who should I contact?' and 'What is the reference structure?' must be clear. and so on."

The concluding part of the speech concerns the sanctions which, the lawyer reminds, are of two levels:

• First level concerning companies up to 2% of the previous fiscal year's worldwide annual turnover. Monetary penalties up to 10,000,000€.
• Second level concerning companies up to 4% of the previous year's annual worldwide turnover. Monetary penalties up to €20,000,000.

Anti-Piracy Law, Assoprovider's battle continues

In conclusion, Assoprovider vice presidents Antonella Oliviero and Marcello Cama remind us that the discussion on the anti-piracy law and the so-called Caivano decree is ongoing, regulations on which Assoprovider has already filed an appeal.

The latest update is that the amendments previously submitted to the Caivano decree have been replaced by a sub-amendment. This sub-amendment should establish, within 30 days from the date the law comes into force, a new AgCom technical committee, with the participation of service providers, Internet access providers, rights holders, content providers, and so on. Subsequently, within three months from the convening of the technical committee, a platform for implementing blocks on infringing content will be developed and made operational.

Vice President Cama finally recalls that the TAR has welcomed in less than 24 hours a first instance submitted by the association on anti-piracy regulations.