Categories: Insights, Practice

Tag: DPIA, Garante Privacy, GDPR


28 Oct 2018

The European Data Protection Board “dialogues” with the Italian Data Protection Authority with regard to the DPIA

Background

Opinion 12/2018 adopted on 25 September 2018 by the European Data Protection Board or “EDPB”, has recently been made public. The EDPB is the body that is mainly in charge of ensuring a uniform and consistent application of EU Regulation 679/2016 on the protection of natural persons with regard to the processing of personal data (”GDPR”) in all member States. The EDPB succeeded the previous “Working Party 29” or “WP29” and has broader powers and new duties.

As part of its work of aligning the various internal practices, in the last few months the Supervisory Authorities of the member States submitted to the EDPB their list of “types of data processing” which require a prior “data protection impact assessment” (DPIA) as a condition for legality of the processing.

The Italian case

The list submitted by the Italian Data Protection Authority defines six types of processing that require that a DPIA be conducted beforehand. Specifically, these are:(i) processing of biometric data; (ii) processing of genetic data; (iii) processing carried out using innovative technologies; (iv) monitoring of employees; (v) “further processing of personal data” and (vi) processing that refers to a “specific legal basis”.

The EDPB answered the Italian Data Protection Authority with its own observations, some of which were of a general nature while others were of a detailed “prescriptive” nature.

Specifically regarding the processing of biometric and genetic data or processing carried out using new technologies, the EDPB considers that this type of processing is not in and of itself able to create a clear risk to the rights and freedoms of the data subjects. In its opinion, for a DPIA to be required, the presence of at least one more of the nine cases listed in the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” adopted by Working Party 29 and commonly referred to as the WP248 guidelines (e.g.: processing that enables judgement of an individual based on profiling; systematic monitoring; matching of various data sets) is necessary.

On the other hand, the EDPB agrees with the Italian Data Protection Authority when the latter claims that systematic monitoring of individuals that are in and of themselves vulnerable, such as employees, constitutes processing that requires a DPIA.

Prospects

In conclusion, it will be interesting to see how the Italian Data Protection Authority will proceed: if it decides not to follow the “prescriptions” provided by the EDPB, Italy could be the first to be involved in a new dispute resolution mechanism by the Board, with the so-called “consistency mechanism” pursuant to Articles 63, 64 and 65 of the GDPR.

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…