Diritti interna

Doveri interna

ricerca avanzata

ANNUAL REPORT 2013 / Press Memo

Versione italiana

ITALIAN DATA PROTECTION AUTHORITY

ANNUAL REPORT 2013 / Press Memo

The Annual Report 2013 submitted by the Italian Data Protection Authority to Parliament on 10 June 2014 takes stock of the work done by the DPA in its 17th year of activity. The Italian DPA is a collegiate body whose members include Antonello Soro, Augusta Iannini, Giovanna Bianchi Clerici, and Licia Califano.

As well as taking stock of the work done, the Annual Report highlights the way ahead in order to make data protection genuinely effective with particular regard to the new communication and IT tools.

Key Areas of Activity
Global surveillance and Datagate; Internet and the role played by major ISPs; transparency of public administration online and safeguards to be afforded to citizens; social networks and cyberbullying; taxation and taxpayers´ privacy; mobile payment services; biometrics, also in the workplace; protecting children on media and the Web; protecting personal data in judicial proceedings; unsolicited telemarketing; consumer rights; simplification measures for businesses; public and private databases; schools; political parties and movements; retention of telephone and Internet traffic data – these were some of the main areas of activity for the DPA in 2013.

The Net has been very much the focus of activity of the DPA, which imposed a 1-million Euro fine on Google because of shortcomings in its Street View service and also started an action jointly with other European DPAs on account of Google´s new privacy policy. The DPA stepped in to enhance transparency for users in emailing services, including voice mailing, and set out rules to protect privacy on smartphones and tablets. A specific consent mechanism and form were laid down recently to regulate the use of cookies, whilst data subjects´ right to have online media archives updated was strengthened further.

Injunctions were issued against many municipalities to ban the posting on their websites of medical data concerning citizens, as part of a broader strategy to reconcile transparency in public administration with personal privacy; Guidelines for online transparency were addressed recently to public bodies.

The DPA laid down rules on the obligation for telecom companies to notify personal data breaches to users and the DPA itself – e.g. following IT attacks or adverse events.

Another important task was that of setting forth rules to protect citizens vis-à-vis the activity of call centers located in third countries; additionally, specific measures and sanctions were imposed on telemarketing companies to prevent aggressive practices including "silent calls". Provisions were made to ensure credit bureaus would process personal data in compliance with the law and attention was also paid to the protection of privacy in connection with joint tenancy. Finally, Guidelines were adopted concerning marketing and in order to counter spam.

Significant measures were those aimed at regulating the use of biometric signature by banks as well as the use of fingerprints for assiduity controls in the workplace.

The DPA updated its general authorizations for the processing of sensitive and judicial data, which apply to various categories of data controller; it also re-issued the general authorization on the use of genetic data and updated the one concerning medical and scientific research activities.

A Few Figures
Over 606 decisions were adopted by the collegiate panel of the DPA in 2013.

The DPA handled 4,185 complaints and requests for information regarding, in particular, the following sectors: telephony; credit bureaus; video surveillance; employment; journalism.

The decisions on right of access complaints amounted to 222, mostly in connection with banks and financial companies, public and private employers, marketing and insurance companies, telephone and Internet operators.

The DPA rendered 22 opinions to Government and Parliament addressing, in particular, the implementation of IT in public databases, police and national security, and training activities.

The number of on-the-spot inspections rose by 4% compared to 2012, totaling 411. The inspections concerned several sectors such as call centers and unsolicited telemarketing; the tax revenue database; consumer credit; credit bureaus; the information system of Italy´s social security agency (INPS); mobile payment services; personal data breaches.

Administrative enforcement notices were 850 in 2013 as compared to 578 in the preceding year; a considerable portion concerned unlawful data processing mostly for telemarketing purposes and/or without the data subjects´ consent. Other frequent findings were the provision of no or inadequate information to users, the excessive retention of telephone and Internet traffic data, the failure to take security measures, the failure to notify processing operations to the DPA, and the failure to comply with decisions and/or injunctions by the DPA.

The fines levied on account of administrative sanctions amounted to over 4 million Euro.

In 71 cases, information was preferred to judicial authorities in particular following the failure to adopt minimum security measures to protect personal data.

The workload of the front office was also on the rise compared to 2012. Over 31,000 requests were handled concerning, in particular, unsolicited calls, Internet, disclosure of information by public bodies, video surveillance, and employer-employee relationships.

The International Dimension
Of no less momentum was the DPA´s work at international level, starting from its contribution as a member of the "Article 29" Working Party of the EU´s DPAs to several opinions and documents – concerning cookies, smartphone apps, smart metering systems, open data, drones, data breaches, data anonymization techniques, cloud computing, contractual clauses for multinationals, etc.. Reference was already made to the joint initiative undertaken at EU level vis-à-vis Google.

The EU DPAs addressed the future General Data Protection Regulation that is expected to replace the 1995 Directive and also worked on the draft law enforcement data protection Directive.

The Italian DPA followed the discussion on the review of the EU´s regulatory framework very closely by also taking part as a technical expert in the meetings of the DAPIX Working Party of the EU Council.

Reference should also be made to the DPA´s work for the Council of Europe, which is in the process of revising the 1981 data protection Convention; further, the DPA participated in several other international forums such as those set up by the OECD.

Finally, the DPA contributed substantially to the work done by the Schengen, Europol and Eurodac joint supervisory bodies.

Rome, 10 June 2014