The dreaded GDPR will come into force on 25 May 2018.
First of all, let’s explain what it is.
The acronym GDPR (General Data Protection Regulation) refers to the European Union Regulation no. 679/2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data.
It should be pointed out that an EU regulation is a legislative act with a general and mandatory scope in all its elements.
Furthermore, the regulation is directly applicable: this means that it does not require a transposition act by the individual member states.
Having said that, the regulation we are talking about introduces important news regarding the protection of personal data and, as regards us more closely, that is the world of the web, involves, among others, the need to adapt the previously drafted privacy policies. pursuant to Legislative Decree 196/2003.
Therefore, below we will list the main changes made on the subject.
First of all, we specify who should not be considered affected by the application of the GDPR.
The aforementioned regulation does not apply to the processing of personal data:
(a) carried out for activities which do not fall within the scope of Union law;
b) carried out by Member States in the exercise of activities falling within the scope of Title V, Chapter 2, TEU;
c) carried out by a natural person for the exercise of exclusively personal or domestic activities;
d) carried out by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of crimes or the execution of criminal sanctions, including the safeguarding against threats to public safety and the prevention thereof.
With personal data we mean any information referable to an identified or identifiable natural person, such as, by way of example, a name, an online identifier or one or more characteristic elements of his physical, physiological, psychological, economic genetic identity , socio-cultural, an identification number or location data.
Art. 6 of the GDPR identifies the conditions in the presence of which the processing of personal data can be considered lawful.
a) the interested party has given consent to the processing of their personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same; c) the processing is necessary to fulfill a legal obligation to which the data controller is subject; d) the processing is necessary to safeguard the vital interests of the data subject or of another natural person; e) the processing is necessary for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller; f) the processing is necessary for the pursuit of the legitimate interest of the data controller or third parties.
In the latter case, however, the lawfulness is subject to the circumstance that, in the balance of interests, the fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail. This also applies, and above all, where the person concerned has not reached the age of majority.
In the case referred to in lett. A), or when the data processing finds its justification in the consent issued by the interested party, it is necessary that:
- the request for consent, formulated in simple and easily understandable language, is clearly distinguishable from any other issues submitted jointly;
- the data controller keeps proof that the interested party has given his consent to the processing of his personal data;
- at any time, the interested party can withdraw his consent with the same ease with which he granted it and that he is duly informed of this right;
- consent is issued by a person who is at least 16 years old. If the data subject is under the age of 16, valid consent can only be given by those who exercise parental responsibility.
But let’s consider the articles. 13 and 14, or those that arouse greater interest in relation to the processing of the privacy policy.
Do you want to know how to increase visits to your website?
Book a free appointment online now.
The first of them concerns the information that the data controller must release to the data subject if personal data is collected from the latter.
- the identity and contact details of the data controller and, where applicable, its representative and the data protection officer (DPO);
- the purposes of the processing for which the personal data are intended as well as the legal basis of the processing (law, fulfillment of a contract, satisfaction of a request from the data subject );
- if the processing is necessary for the pursuit of the legitimate interest of the owner of the processing or of third parties, the legitimate interest pursued by the same;
- he any recipients or categories of recipients of the personal data;
- the possible intention of the data controller to transfer personal data to a third country or to an international organization and the existence of an adequacy decision by the Commission or, in the case of ‘absence of such a decision, the reference to appropriate or appropriate safeguards and the means to obtain a copy of such data or the place where it was made available.
- the retention period of the personal data or, if this is not possible, the criteria used to determine this period;
- the right of the interested party to ask the data controller for access to personal data and rectification or cancellation of the same or the limitation of the treatment that concerns him or to oppose their treatment;
- the right to data portability;
- the right to withdraw the consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to the revocation;
- the right to lodge a complaint to a supervisory authority;
- the possible consequences of failure to communicate such data (eg legal sanctions, liability for breach of contract or “simple” inability to receive the requested service);
- the existence of an automated decision-making process, including profiling;
- if the data controller intends to further process the personal data for a purpose other than that for which they were collected, before such further processing the need to provide the data subject with information on this different purpose and any further information relevant.
Pursuant to art. 14, if the data are collected from a third party, the information, which must be communicated within a term defined as “reasonable”, not exceeding 1 month, or in any case no later than the first communication with the interested party or other recipient, must be completed of the following data:
- Categories of personal data object of processing;
- Source from which these data originate, even if it is a source accessible to the public.
Without any claim to be exhaustive, we hope to have summarized in these few lines the salient features of the changes to be introduced to the privacy policies to be included in the websites.
We realize, however, that the application of the new legislation is not, in practice, so easy and can be all the more complicated when you do not have sufficient skills in the field or, at least, the time necessary to acquire them.
In the latter circumstance, it can be extremely useful to resort to applications that can be integrated on the site at extremely affordable prices, developed by industry experts assisted by a team of lawyers.
An industry leader is, unquestionably, Iubenda.
We, first of all , have decided to use the product they provide because, after an analysis of what the market offers at the moment, their software appears to be unbeatable in relation to the quality-price ratio.
If you have a site and want to install the application independently you can do it by clicking on the following image and you will enjoy a 10% discount for the first year with Iubenda.
