On March 6, 2020, the Italian Data Protection Authority (“Garante”) reported on new measures designed to protect the health data of patients in the context of Government procurement efforts (calls for tender) to acquire medical equipment and devices. The new measures are the result of a collaboration between the Garante and Consip, a company wholly

On September 12, 2019, the Italian Supervisory Authority (“Garante”) approved a code of conduct for consumer credit agencies (the “Code”), pursuant to Art. 40 GDPR (see here in Italian).

The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the

On July 22, 2019, the Italian supervisory authority for data protection (“Garante”) issued a judgment involving the so-called “right to be forgotten”.  The Garante’s decision explores the boundaries of this right in a case in which Internet users could access an article by using a professional position as a search term, whereas it was not possible to access the article merely by using an individual’s name as a search term.

More specifically, the case before the Garante involved a professional, namely the president of a cooperative, who requested that Google remove a link to online content about him accessible by Internet users.  The content was accessible not by entering the individual’s name as a search term, but rather by entering his position as president of the cooperative, an association that serves the interests of members, i.e., social or economic needs or other general aims.

Continue Reading Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’

By Luca Tosoni and Dan Cooper

On 2 February 2017, the Italian DPA (“Garante”) imposed a record fine of 5,880,000 Euros on a UK company operating in Italy for its violation of the data privacy consent rules contained in Italian law.  This is the largest data privacy fine ever issued by a European data protection authority for a breach of the EU’s data protection framework.

The Garante imposed the fine on a company that allegedly made money transfers to China on behalf of individuals without their knowledge or agreement, and therefore did not obtain the individuals’ consent to the processing of their data.

The size of the fine reflects, in part, the fact that a significant number of data subjects were impacted by the breach.  In fact, the Garante concluded that the company had committed a separate privacy violation for each data subject whose data was used without consent.  The fine therefore reflects the sum total obtained from adding up the fine for each individual breach committed by the company.
Continue Reading Italian DPA Issues Record Data Privacy Fine