YOUR
Search

    25.05.2021

    Happy Birthday, GDPR!


    Regulation (EU) 2016/679, also called “General Data Protection Regulation” (the “GDPR”), turns three.

     

    The GDPR indeed came into force on 25 May 2018, becoming the global benchmark for personal data protection as well as a convergence factor in the development of standards. With the adoption of the GDPR, the European Union took a leading role in the international data protection landscape, prompting several third countries to align their data protection regulations with the GDPR. New solutions remain to be found that reconcile the protection of personal data with its circulation, for example with regard to relations and trade with the United States after the Schrems II judgment of the European Court of Justice, which invalidated the Privacy Shield.

     

    The GDPR has certainly revolutionised the approach of businesses and citizens to privacy, which has gone from being the Cinderella of law to a priority subject, and there are many reasons for this.

     

    First on the list of reasons is, certainly, the introduction of a wide range of administrative sanctions. The main change is the duration, scope and severity of some of such fines, which can range (i) from up to 10 million Euros or, alternatively, up to 2% total global  turnover in certain cases, or (ii) up to Euro 20 million Euros or up to 4% total global  turnover in the most serious cases. In some cases, (the most serious) breaches may even amount to a criminal offence.

     

    This has led to an exponential increase in the number of companies adapting to the rules introduced by the GDPR and to a greater level of attention to privacy risk also on the part of top management.

     

    Another important novelty was the creation of a new job figure: the Data Protection Officer, also known as the DPO, a new "actor" in the "privacy system" that has contributed significantly to the success of the GDPR. Indeed, the presence of numerous DPOs (there are now thousands of DPOs), apart from the work done within the structure of the controller who made the appointment, has given rise to a peculiar phenomenon: seeking   compliance, or any elements of the compliance requirement, from other owners with whom the owner interacts to establish, continue, maintain commercial or other relationships. This caused an unforeseen domino effect, which has triggered a need for compliance that in past years was primarily linked to fearing control by the  Authority for the protection of personal data (the "Data Protection Authority").

     

    Furthermore, reference must be made to the principles of privacy by design & by default, accountability and the many rights of data subjects, including the right to be forgotten.

     

    In Italy, the Data Protection Authority Protection Authority has announced that, from the entry into force of the GDPR to 31 March 2021,

    • 59,838 communications  of DPO contact details,
    • 27,192 complaints and reports, and
    • 3,873 personal data breach notifications were received.

    Three years after its entry into application, the GDPR can be considered to be an overall success, though there is still a long challenge ahead: the focus must continue to be on the improvement of implementation and on actions to strengthen the enforcement of data protection laws, and there is a need for strict and effective enforcement of the GDPR and increased awareness of the management of personal data and its fundamental importance in the information society, as well as for increased "digital maturity" on the part of data subjects and increased accountability on the part of owners of large digital platforms, integrated companies, and other digital services, particularly in the areas of online advertising, micro-targeting, algorithmic profiling, science and genomics, and the ranking,   dissemination and amplification of content.

     

    In conclusion, the GDPR has garnered considerable interest and attention in light of the   digital marketplace and big data boom. The EU Institutions have foresightedly overcome the – to say the least – jagged legal system governing data protection among Member States. The GDPR certainly represents a revolution in European data protection law.

     

     

     

    This article is for information purposes only and neither is nor can be considered as a professional opinion on the topics covered. For further information, please contact Marco Cappa and Claudia Colamonaco.

    Number of Partners grows in ADVANT Nctm wi…
    ADVANT Nctm strengthens its corporate structure with the appointment of Roberto …
    Read more
    Artificial Intelligence Act – an overview
    Introduction In April 2021, the European Commission put forward a proposal for a regulation on Artificial Intelligence (hereinafter, “Artificial Intelligence Act” or “AIA”). The AIA intends –…
    Read more
    Ukraine crisis – Sanctions (updated as of August 7, 2023)
    This memorandum is not intended to be exhaustive and has the sole purpose of providing a preliminary overview of the sanctions imposed, and in the process of being imposed, against Russia, with a particula…
    Read more
    ADVANT Nctm strengthens its corporate structure with 3 new promotions
    ADVANT Nctm strengthens its corporate structure with the appointment of  Jacopo Arnaboldi, Miranda Cellentani and Eleonora Parrocchetti as Equity Partners in its Milan and Rome offices. Promotion is par…
    Read more
    Italian Data Protection Authority approves Code of Conduct on Telemarketing: major novelties and practical impli…
    Pursuant to Article 40 of the GDPR, various trade and consumer associations drafted a Code of Conduct on Telemarketing and Telesales. The Code, approved by the Italian Data Protection Authority (“Garante”)…
    Read more
    Ukraine Crisis - Sanctions (update 7 march 2023)
    This memorandum is not intended to be exhaustive and has the sole purpose of providing a preliminary overview of the sanctions imposed, and in the process of being imposed, against Russia, with a particula…
    Read more
    Ukraine crisis – Sanctions (update 10 January 2023)
    This memorandum is not intended to be exhaustive and has the sole purpose of providing a preliminary overview of the sanctions imposed, and in the process of being imposed, against Russia, with a parti…
    Read more
    The new adequacy decision to simplify data transfers to the US
    With the new adequacy decision of the European Commission, the transfer of personal data to the US will soon undergo significant and important developments. As in the best Netflix series, we start with…
    Read more
    Ukraine crisis – Sanctions
    This memorandum is not intended to be exhaustive and has the sole purpose of providing a preliminary overview of the sanctions imposed, and in the process of being imposed, against Russia, with a particula…
    Read more