top of page

Formazione 4.0 Finanziata

GDPR (General Data Protection Regulation) EU 2016/679 European Privacy Regulation

 

As many now know, on May 24, 2016 the new European Privacy Regulation came into force at the European Community level. The rules will be applicable from May 25, 2018 and the time available to understand the best strategy to apply and implement it is not much.

The regulation will bring a series of innovations not only for the individual citizen but also for companies, public bodies, freelancers and associations.

First of all, the legislator wanted to introduce clearer rules regarding information and consent by establishing precise limits on the automated processing of data, on the relative violation and on the exchange of the same outside the European Community.

 

We wanted to make the rule more transparent, with a single vision across the European Union, making the management of their data very clear and simple for each citizen through consents and evident revocations.

In an increasingly digital world, particular emphasis has been placed on the portability of personal data. In particular, it will become much easier to transfer your data from one operator to another for contracts such as telephony, and urban ones (water, electricity and gas) as the current operator will be obliged to transfer the information authorized to third parties.

Even more structured data, such as electronic messaging or files in the cloud, will have to be treated according to this new vision.

 

One of the important aspects of the new Regulation is the perspective of continuity in relation to the provisions of the current Privacy Code and existing regulations, such as Legislative Decree 231/2001 or the Workers' Statute, rules that will be coercive for all the transition period.

Considering that, in case of violation of the data processing of which the company is the owner, the same may be subject to a penalty of up to 4% of the global annual global turnover, it is essential that each company as Data Controller, carries out a careful analysis of the effects that the Regulation will have on the individual Departments and, therefore, on the internal management of the data held in electronic format.

 

REQUIREMENTS TO BE TAKEN INTO CONSIDERATION:

 

  • Privacy as a data management system: it is essential to be able to reconstruct the data flow based on the company organization by cataloging the treatments both by direction and reconstructing any interactions between direction and direction with respect to the transit of personal data.

  • Role mapping and privacy organization chart: mapping of the roles of the subjects involved in the treatment and creation of an organization chart from a privacy perspective.

  • Policy and good practices: The principle of accountability, strongly strengthened in the European Regulation, establishes that it is up to the Owner to demonstrate the company's adherence to the provisions. Documentation and good practices are fundamental, but they must be carefully studied and made 'tailored' for each organization.

  • Privacy by design and by default: Owners and Managers will have to implement adequate organizational technical measures to guarantee and be able to demonstrate from the outset that the data processing complies with the new regulatory framework. This implies renewed contractual balances with suppliers who will have to ensure organizational technical measures suitable to satisfy compliance with the Regulation.

  • Operational tools: Privacy RiskAssesment - essential for identifying and tracing a perimeter of the risks to which a process is subjected and Privacy Impact Assessment, a document, in some specific cases required by the Regulation, containing alongside the systematic description of the treatments envisaged and the purposes, specific assessments regarding the need, proportionality and risks of the treatment, as well as the security measures and guarantees to meet them.

  • Data retention and PIA: the retention periods for each type of treatment must be established, reconciling the retention obligation established by law for certain documents and certain data with respect to the cancellation obligation that the Regulation will make even more compelling. In some cases it will be mandatory for companies to also draw up a Privacy Impact Assessment: the so-called PIA, a document that must contain the aspects relating to the impact, from the point of view of the security of data management, that the treatment put in place may have on the same.

  • DPO The role of the Data ProtectionOfficer: what is provided for by the legislation Articles 37, 38 and 39 (section 4) of the GDPR deal with the figure of the DPO (Data ProtectionOfficer) in particular the designation, position and tasks.

© 2023 by The Axis Group

Proudly created with wix.com

CASiG srl Sede legale ROMA Via Cristoforo Colombo 2345 P IVA 14388671001 REA RM-1517259

​

Email: info@casig.eu     PEC: casig@legalmail.it     www.CASiG.eu

Policy Cookies & Privacy

© Copyright
  • Facebook
bottom of page