Italian Legislative Decree No. 101 of 10 August 2018 (the "Decree") becomes effective today, 19 September: It implements fully for Italy the well-known European Regulation No. 679 of 27 April 2016 (General Data Protection Regulation, in short “GDPR”), also by partially repealing the prior Italian Legislative Decree No. 196 of 2003 (also known as the "Privacy Code").

The Decree’s full text (in the Italian language) can be found at:;jsessionid=mZ--3ugjFdCxTQ9N43QJAA__.ntc-as3-guri2b?atto.dataPubblicazioneGazzetta=2018-09-04&atto.codiceRedazionale=18G00129&elenco30giorni=true.

Included in the Decree are specific provisions governing the processing of personal data in Italy for several purposes, such as for the public interest, the exercise of public authority, national security and defense, public access rights, the health sector, for historical, statistical and scientific research, electronic communication services, and news reporting.

Here are some interesting areas and new rules for commercial companies operating in our country.

(1)  Minors and Social Media:  For minors below 14 years of age consent for personal data processing may only provided by those who have parental responsibility for them.  Between their 14th and 18th birthday consent may be given by minors themselves, provided that they receive from the relevant operators a request based on a simplified information notice written in appropriate, clear language.

(2)  Deceased Persons’ Data:  Access to such data (see Sections 15-22 of the GDPR) is allowed only for individuals who are acknowledged as having a recognized personal interest, or are acting on behalf of the deceased in order to to protect these latter’s or their family’s reputation and other qualified rights.

(3)  C.V. Information:  An individual submitting voluntarily his/her own resume need not provide consent for personal data processing, to the extent that the recipient will be handling such data for contractual or pre-contractual purposes, subject to delivery of a timely privacy information notice to the individual concerned.

(4)  General Cases:  The Italian Data Protection Authority (in short "IDPA") shall publish the list of general-purpose authorizations for personal data processing already in place which remain effective in Italy under the GDPR regime (Sections 6, para. 1/c-e and 9, para. 2/b); all other “general authorizations” are withdrawn.

(5)  Smaller Operators, Simplification:  The IDPA shall issue guidelines for the simplified implementation of GDPR’s principles applicable to medium-size to small operators in the Italian market.

(6)  Harsh Criminal Penalties: Imprisonment from 6 to 18 months for the unlawful processing of personal data; from 1 to 6 years for the unlawful, widespread communication and dissemination of personal data; from 1 to 4 years for the fraudulent acquisition of personal data in bulk; from 6 months to 3 years for false declarations to the IDPA or interference with its functions; from 3 months to 2 years for unjustified failure to comply with the IDPA’s requests and isntructions.

(7)  Big Fines:  Pursuant to the GDPR, administrative sanctions (fines) for privacy violations may be levied – depending on the type of breach – for up to 10 or 20 million Euro, or up to 2% or 4% of the breaching party’s worldwide turnover in the prior year.

(8)  Facilitated Settlements:  A party undergoing a procedure for previous privacy violations may apply for its termination within 20 December 2018 by paying a fine equivalent to 2/5 (40%) of the minimum applicable penalty; the Decree’s “decriminalization” of certain violations is also applicable to prior cases, and the heavier fines introduced by the Decree shall not exceed the amounts originally provided for prior breaches.

(9) Temporary ‘Soft’ Regime:  For the eight months following the date of the Decree’s entry into force (today), the IDPA is empowered to apply lighter penalties justified by the initial difficulties in complying with GDPR provisions.


* * * *

Our firm’s legal team specialized in personal data protection rules is fully available with respect to issues arising from the GDPR and Italian Decree No. 101 of 2018 (see above); please send your queries through the "Contact" section of this website.