Privacy at work. New legislation entering into force on May 25, 2018 (Guida al Lavoro de Il Sole 24 Ore, 20 April 2018 – Vittorio De Luca, Elena Cannone, Antonella Iacobellis, Luciano Vella, Lucio Portaro)

Starting from 25 May , 2018, the European Regulation will be fully operative, introducing many news on the matter of privacy; news that companies will have to deal with on a daily basis. First of all, the accountability principle is introduced: more freedom for Data Controllers and Data Processors in the choice of the measures to be adopted but also greater responsibility, especially in view of the penalties established to protect compliance with the Regulations, which has become more severe. Second of all, the new Regulations redefine their territorial scope of application: in fact, companies outside Europe but processing personal data of parties located within the European Union will also be subjected to the application of the Regulation. In addition, the methods in which data are transmitted outside the European Union are carefully regulated. The new legislation, in addition to reaffirming some fundamental rights already known, establishes new ones, such as the so-called right to data portability and the so-called right to be forgotten which, although already known in practice, has been officially regulated for the first time. Another new aspect, which was much discussed, is the mandatory appointment, under certain conditions, of a Data Protection Officer (DPO) tasked with supervising the correctness of the fulfilments in this regard and of acting as a point of contact between the various parties involved (Data Controller, Data Subjects, and Supervisory Authorities). Moreover, again in order to strengthen compliance with the Regulation, if data processing may put at risk the rights of Data Subjects, the Data Controller, prior to processing the data, shall carry out a potential impact assessment (PIA), focused on the analysis of the probability and severity of the risk. Furthermore, from the provision of the Regulation, the system of notifications and communications of possible violations of personal data (so-called Data Breach), is well regulated. In short, the Regulation represents a clear response by the European legislator to the evolution that the concept of “privacy” is undergoing, especially in light of the ongoing industrial revolution. It will, however, have to deal with the legal institutions existing in our system, first of all art. 4 of the Workers’ Statute and Whistleblowing Law 179/2017.