, ,

Data breach notification: new procedure adopted in Italy

New procedure, new burdens and obligations

With the decision  no. 157 of July 30, 2019, the Italian Data Protection Authority (Garante) has introduced a new official model containing the minimum information required to perform a notification of a personal data breach pursuant to art. 33 of the GDPR. In the past, the Garante had already introduced specific methods and requirements for notifying a data breach in various sectors and with the new decision, the Authority has introduced standardized terms, contents and methods of notification, adding a number of burdens for the notifying entity.

What to include in the notification

The GDPR provides that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Likewise, the data processor who becomes aware of a possible violation is obliged to promptly inform the controller so that remediation actions can be performed (Articles 33 and 55 of the GDPR, Art. 2-bis of the Italian Privacy Code).
As a result of the aforementioned Garante’s decision nr. 157, the level of detail of a data breach notification has increased significantly, probably also in order to allow the controller to assess in a responsible manner the actual need to communicate, or not, the same violation also to the natural persons concerned, in accordance with the provisions of Article 34 of the GDPR.

Let’s see how the notification of data breach changes.
In order to perform the notification the data controller shall download the form available on the website of the Garante and fill in the following sections:

  • A. Data of the subject who makes the notification, entering the personal and contact details of the person who actually makes the notification (if appointed, this is the DPO of the holder);
  • B. Data relating to the data controller, meaning the identification data of the controller  (full name of the company, fiscal code, address, …), the contact details of the subject to be contacted for information, such as the DPO or the internal legal counsel (where a DPO has been appointed the relative protocol  number communicated by the Garante after the DPO online registration shall be inserted) and the references of other subjects involved with an indication of the role played in the breach(co-controller or processor, representative of the controller not established in the EU);
  • C. Summary information on the violation, this is one of the most critical sections as it will be necessary to indicate detailed information relating to the violation, including: the exact date on which it occurred, the time and manner in which the controller became aware of it, the reasons for the delay in case of notification beyond 72 hours (if applicable), the nature and cause of the date breach and the categories of personal data and individuals affected, with an indication of their volumes;
  • D. Detailed information on the violation, in addition to the previous section in this one details of the violation must be given, describing in particular the incident underlying the violation, the categories of data violated, the information systems and infrastructures involved in the incident, with an indication of their location and the technical and organizational security measures adopted;
  • E. Possible consequences and seriousness of the violation, this is a section that requires a prognostic effort by the controller who will be required to identify the possible impacts of the violation based on its nature and the potential negative effects for those concerned; it will also be necessary to make a reasoned estimate of the likely seriousness of the data breach;
  • F. Measures taken as a result of the breach, in which all technical and organisational countermeasures adopted to limit the impacts of the breach and of future implications shall be reported in order to prevent future incidents;
  • G. Communication to the data subjects, in this section it will be necessary to specify whether or not the violation has been communicated to data subjects in accordance with Article 34 of the GDPR, and in the event of non-communication it will be necessary to clarify the reasons for such decision;
  • H. Other information, this is a closing section in which details about the cross-border impact of the data breach and any reports already made to other authorities can be entered.

If the data controller is not in possession of all the information required by the form,  a partial notification can be performed, initiating the process even in the absence of a complete picture of the violation, subject to a subsequent supplementary notification.

How to send the notification

The notification form, once completed with the required information, must be sent to the Garante by e-mail at “protocollo@pec.gpdp.it” and must be digitally signed (with qualified electronic signature/digital signature) or with handwritten signature. In the latter case, the notification must be submitted together with a copy of the signatory’s identity document.
The notification should not include personal data concerning the subject  affected by the breach. Furthermore the subject of the message must contain the words “NOTIFICATION OF VIOLATION OF PERSONAL DATA” and, optionally, the name of the data controller.

Next steps

The new notification form requires the controller to collect a large amount of information relating to the breach. In order to be able to perform the notification, the controller must therefore ensure to have implemented appropriate organizational procedures – both internal and external aimed to the data processors – that enable the controller to promptly obtain  all the information necessary to complete the notification.
The notification procedure must be supported keeping the so-called “data breach record”: a document that has the dual function of allowing the controller to easily monitor and control all the violations of personal data occurred and allows the , to verify compliance with the obligation of timely notification.
This register should be prepared in line with the requirements of the notification form to collect all information necessary to adequately document any personal data breach, including the circumstances surrounding it, its consequences and the remediation steps undertaken.

The data breach scenario in Europe and Italy

The phenomenon of data breaches is constantly increasing in Europe. The European Data Protection Board has published a report on the state of implementation of the GDPR 9 months after its full applicability, which notes that the supervisory authorities in Europe have recorded about 64,684 notifications of data breaches, and it is reasonable to assume that since the publication of the report to date this figure has grown further. In this respect according to the World Economic Forum cyber attacks are the greatest threat to companies operating in Europe. In recent years, Europe has been the scene of a long series of major cyber attacks, the number of which increased by about a third in the first quarter of 2018, compared to the same period last year.
These estimates are confirmed by the report presented by the European Union Agency for Network and Information Security (ENISA), according to which, while the number of attacks cyber has increased significantly and their seriousness has increased exponentially. In the first half of 2018, around 4,500 million records were compromised due to data breaches, which represents a big increase compared to 2017, when “only” 2.7 million records were breached in the same period.
As for Italy, according to the most recent estimates available, up to June 30, 2019 the Garante has recorded 1254 confirmed cases of notifications of data breach, with an increase of about 31% compared to the violations recorded up to March.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, repay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

, ,

Cookiebot: what changes after Planet 49 decision?

Cookies are a tricky topic for web professionals. Essential to the sites that use them, annoying to the consumers who agree to them, and misunderstood by plenty of people on both sides. The GDPR has indirectly imposed higher standards for cookie usage – in particular what constitutes valid consent and transparency.

The  Court of Justice of the European Union (CJEU) has issued a landmark decision on the Planet49 case, an important case regarding the rules applicable to cookies. This decision may impact your cookiebot settings and cookie policy. So it’s time to find out how Cookiebot change after “cookie decision?

The case

Planet49, an online gaming company registered in Germany, hosted a lottery on its website. In order to participate in the lottery, users were required to enter name and address. Beneath the input fields for the address were two sets of checkboxes.

The first checkbox was not pre-ticked, and it was meant for the participant to consent to being contacted by certain sponsors about their commercial offers. The second checkbox was pre-ticked, and it was meant for the participant to consent to have cookies placed on his device for the purposes of providing targeted ads to the participant.

According to the rules of the lottery, participation was only possible if the participant ticked at least the first checkbox.  Such approach was claimed to infringe the EU rules on informed and freely given consent. The case reached Germany’s Federal Court of Justice, which then referred the case before the CJEU

Key takeaways from the recent CJEU decision on cookies

🔹️The EU Court of Justice confirmed today in its decision on the Planet49 case that the placing of cookies requires active consent of the internet user.

🔹️Active consent is not validly constituted by way of a pre-checked checkbox which that user must de-select to refuse his or her consent.

🔹️Consent must be specific. The fact that a user selects the button to participate in a promotional online lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.

🔹️It doesn’t matter if the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

🔹️The user must be informed about the duration of the operation of cookies and whether or not third parties may have access to those cookie (this may impact your cookie policy).

🔹️Interestingly, the Court was not asked – and so did not rule on – whether a data subject can be required to consent to processing of personal data for advertising purposes in order to participate in a promotional lottery. That leaves a big open question with significant implications for ad-funded content.

How Cookiebot settings change after “cookie decision“⁉️

If your cookiebot has every cookie category (analytics, profiling, etc.) pre-checked, well it might be the case to consider changing your settings. According to the Court only technical cookies are considered necessary and can be pre-activated. However, the different Data Protection Authorities across Europe have different interpretation of what constitutes technical cookies and when consent is required. Furthermore the ePrivacy Regulation is coming and it may change the scenario again. Meanwhile the ICO (U.K. Data Protection Authority) recently issued a Guidance on a GDPR compliant cookie strategy. Grab it on TechnoLawgy channel on Telegram.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuablerepay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #TMT news!

,

🛫New Drones Law in Europe🛫

On July 1, 2019, the set of specific European rules for Unnamed Aircraft Systems (UAS), commonly referred to as drones, came into force. These rules set out the general principles for ensuring safety, protecting privacy and safeguarding the environment. Let’s see what are the main changes for manufacturers and users.

1. Why a new regulation?

Commission Delegated Regulation (EU) 2019/945 & Commission Implementing Regulation (EU) 2019/947, have been published to ensure drone operations across Europe are safe and secure.

The common rules will help drone operators, whether professional or recreational, to have a clear understanding of what is allowed or not. At the same time it enables them to operate across borders. Once drone operators have received an authorisation in the state of registration, they are allowed to freely circulate in the European Union. This means that they can operate their drones seamlessly when travelling across the EU or when developing a business involving drones around Europe.

In recent years there has been an exponential development of drones with reference to both the technology available and the possibilities of use. Initially exploited in the military field, today drones are within everyone’s reach, and are increasingly used for recreation and leisure time.

But it is in the commercial field that we find the maximum variety of purposes for which a drone can be used: filming in movie sets, outdoor light shows (as an alternative to traditional fireworks), search and rescue operations, field watering, window cleaning in height and delivery in a short time, are just some of the activities that currently see the use of drones in different countries of the world, and thanks to the versatility of these machines the development of new models and areas of application proceeds rapidly.

In England, for example, researchers are developing drones capable of independently inspecting and repairing holes in the streets. And in the near future, drones will certainly be used for public transport, as the “Urban Air Mobility” project supported by the European Union, which is encouraging private initiatives for the creation of “flying taxis”, and which already has Audi and Airbus as partners.

As a fact, according to the European Commission, the drones industry could create about 150,000 jobs in the EU by 2050.

In this scenario, a significant number of national aviation authorities have started issuing new aviation safety standards to regulate the use of drones in national airspace. However, to ensure legal certainty and consistency across the EU and in the design of a “Single European Sky”, the European Commission proposed on 7 December 2015 a revision of the EU legislative framework to be ready for the challenges beyond 2020. The result of this proposal was the Regulation (EU) 2018/1139, thanks to which the European Union can regulate the civil operations of all types of drones, gradually replacing the national regulations on civil operations of drones weighing less than 150 kg.

Recital 26 of the Regulation expressly states that, since drones use the same airspace as manned aircraft and are equipped with technologies that make a wide range of operations possible today, they must be subject to the same general rules on civil aviation regardless of their mass.

2. What do the new rules say? Privacy and environmental protection obligations

Regulation (EU) 2018/1139 sets out the general principles for ensuring security, protecting privacy and safeguarding the environment.

These rules are proportionate and risk-based, designed to reduce constraints and encourage innovation. For example, sport and recreational aviation, including so-called model aircraft (recreational drones), is subject to simplified procedures compared to those applicable to commercial air transport. On the other hand, operations with high-risk drones are more burdensome for operators.

To ensure safety, the Regulation states that all drones must be controllable and manoeuvrable in total safety and never put people at risk. For example, drones must be equipped with collision avoidance systems.

In addition, all drones should be designed taking into account a privacy by design and by default approach. The risks to privacy and data protection are essentially related to the availability on the UAS of cameras or other sensors that are able to record personal information. As pointed out by the Article 29 Working Party (now known as the European Data Protection Board), the risks are increased by the lack of transparency, due to the difficulty of being able to see the drones from the ground and to know for what purposes the images are taken and especially by whom.

Therefore to protect privacy, and more generally in order to identify offences and violations, the Regulation provides that the drones’ pilots shall be registered in national registers and drones shall be registered in electronic databases that are easily accessible.

To guarantee the protection of the environment, new limits are placed on the noise and emissions generated, as in the case of any other aircraft.

Finally, the Regulation extends the mandate of the EASA (the European Aviation Safety Agency), giving it new powers of inspection, coordination with national authorities, certification tasks and implementation powers, to strengthen the development of a so-called “single European sky”, which now also affects drones of all sizes. The EASA will also play an important role in cybersecurity.

This post is co-authored by my brilliant colleague Ludovica Mosci who is an outstanding expert of drones regulation. 

 

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuablerepay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #TMT news!

,

🔐EU Cybersecurity Act adopted by European Parliament🆕

EU Cybersecurity Act: text approved

As recently posted on the official EU website, on tuesday 12/03/2019, the EU Parliament adopted the EU Cybersecurity Act with 586 votes to 44 and 36 abstentions. It establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards.

Continua a leggere

, ,

📃💻Fatturazione elettronica e privacy: le novità rilevanti alla luce dei provvedimenti del Garante

Dal primo Gennaio 2019 la fatturazione elettronica è ufficialmente obbligatoria anche tra privati, ma negli ultimi due mesi ci sono state numerose novità dovute all’intervento del Garante per la protezione dei dati personali: nuovi esoneri e una serie di adeguamenti da porre in essere a carico dell’Agenzia delle Entrate per conformarsi alle regole del nuovo Regolamento privacy europeo n. 679/2016 (GDPR). Continua a leggere

, ,

🇪🇺 🇬🇧 BREXIT privacy consequences: EU says no adequacy decision is coming

OK, we all know how the GDPR impacts personal data transfer outside EEA, so …will Brexit make it harder to exchange data with U.K.? Continua a leggere

,

🎬 #Media: updated audiovisual Directive adopted by EU

🎬 New EU AudioVisual rules are coming 📺

In June 2018, European institution negotiators confirmed to have reached an agreement on an updated EU Audiovisual Media Services Directive. On 2 October the final text was finally adopted by the EU Parliament by 452 votes against 132, with 65 abstentions and on 6 November the Council adopted the new Directive. This is the final step in the legislative process.

The new directive modifies an existing directive on the provision of audiovisual media services from 2010. Since then, the market for audiovisual media services has evolved significantly. Rapid technical developments have sparked new types of services, viewing habits have changed, and user-generated content has gained in importance. The legal framework is now being updated to take account of these developments.

The revised legislation changes the media landscape for broadcasters and video-on-demand platforms, redefining advertising limits and enhancing the promotion of European works, but also strengthening the protection of minors against harmful content and limiting profiling and behaviourally targeted advertising.

Notably, the text extends the European audiovisual rules to video-sharing platforms, which will now be responsible for reacting quickly when content is reported or flagged by users as harmful. Although no automatic filtering of uploaded content is introduced, platforms may be asked to create a transparent, easy-to-use and effective mechanism to allow users to report or flag content.

Furthermore, under the new rules, advertising can take up a maximum of 20% of the daily broadcasting period between 6.00 am and 6.00 pm, and in the prime-time window between 6:00 pm and midnight.

I believe companies shall start to assess how the revised text may impact their business, considering that the Directive will enter into force on the 20th day after its publication in the Official Journal of the EU and Member States will have only 21 months after its publication to transpose the new rules into national legislation.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, share it on your #SocialMedia, Be Influent! 

, ,

🤳Influencer: first incubator on influencers to open in Italy

🤳Influencer #marketing can have a great impact on #sales 💸and #market #share value📈. A new #incubator will train new influencers and help them to build an actual career out of their online fame ⬇️Read my latest #LawBytes below⬇️ Continua a leggere

, ,

Legge di Bilancio 2019: le novità Tech & Blockchain

Il Consiglio dei Ministri ha  approvato il disegno di legge relativo alla nuova Legge di Bilancio 2019, ecco i punti più interessanti lato Tech & Innovation.  Continua a leggere

, ,

GDPR: Pubblicato il decreto di integrazione!

Dopo la lunga attesa finalmente è stato pubblicato il decreto di implementazione del GDPR.

Occorrerà aspettare il consueto periodo di vacatio legis prima dell’entrata in vigore.

Qui il link al testo in Gazzetta Ufficiale.

 

 

Resta aggiornato sui prossimi articoli seguendomi su Twitter @Tommyricci05 e su Fb 

Se ti è stata utile questa analisi, diffondila condividendo sui tuoi canali #Social, Be Influent!