roundtable with the garante

Roundtable with the Garante: Managing data protection law risks to your business in Italy

Rome, 24-25th March 2015 Privacy Laws & Business www.privacylaws.com

1

Privacy Laws & Business Privacy Officers Network


24th-25th March 2015

Host: NCTM, Rome

Via delle Quattro Fontane 161 - 00184 Roma (a few metres from the Barberini metro station)

Simultaneous Italian-English and English-Italian interpretation will be provided

Programme

Day 1

13.30 Registration 14.00 Welcome by host: Rocco Panetta, Head of Privacy & IT Compliance, NCTM, Rome and Secretary General, Italian Compliance Forum (ICF) 14.05 Introduction: Stewart Dresner, Chief Executive, Privacy Laws & Business 14.15 The Garantes perspective: Augusta Iannini, Vice-President, Garante 14.45 Discussion with Augusta Iannini 15.15 International transfers of personal data Sabina Kirschen, Legal Matters (Private Sector) Department, the Garante and Angelo Monoriti, lawyer, NCTM, Rome

1. The Garante as a lead authority and co-leader for BCR applications

2. What the Garante requires for a successful BCR application. Any

additional provisions required for processing?

3. Company experience of applying for a BCR with the Garante as co-leader - Angelo Monoriti, NCTM, Rome

4. The Garantes attitude to the EU attempts to reform the US Safe

Harbor

5. Is consent a valid basis for international transfers of personal data in some circumstances?

6. The use of the EUs Standard Contractual Clauses for sub-processors

in Data Transfer Agreements

7. Other issues on international transfers?

15.35 Discussion



2

15.45 Break 16.10 Employment law and data protection law: Balancing managements need for control and workers rights Valentina Gagliardi, Head of Occupational Matters (Private & Public Sectors) Department, the Garante and response by Avv. Paolo Todaro, Rucellai & Raffaelli, Rome and Alberto Quarti, Data Protection Officer, ATB SpA, Bergamo

1. Control of workers by means, for example, of telephone, e-mail, and

computer-based technique s. Private use of office equipment, for example, computers and telephones. Recent case law in Italy.

2. Remote working (telelavoro). Security measures to be adopted by employees to protect business data. Remote control of employees performance

3. Bring Your Own Device. Accessing e-mails via the Internet

4. Preventing the loss and misuse of personal data

5. What happens when an employee leaves and takes client data?

6. Surveillance in the work place - Alberto Quarti, Data Protection Officer, ATB SpA, Bergamo, Geolocation/Video surveillance. This privately owned but public bus service uses video and GPS to track buses, speed and behaviour of drivers and passengers. It is the first example of the Garantes prior checking and prior notification process for use of video and GPS in a workplace. Accepted on basis of proportionate control to monitor behavior. Implications for other sectors.

7. Managements negotiations with labour unions

8. Notification to Garante needed for biometric identification in the work place. How should companies prepare?

9. What the Garante expects in the prior checking process in order to give approval to a process it considers to be risky.

10. Reform of labour law and its impact on data protection law

16.50 Discussion with the participants 17.20 Concluding remarks: Rocco Panetta, Head of Privacy & IT Compliance, NCTM, Rome and Secretary General of ICF; and Stewart Dresner, Chief Executive, Privacy Laws & Business

17.30 Close: Day 1 19.30 Dinner (Restaurant near the NCTM office. All speakers and others participants invited. The dinner is included in the Roundtable fee but reservation in advance is necessary).



3

Day 2

9.00 Registration and coffee

9.25 Welcome by host: Rocco Panetta, Head of Privacy & IT Compliance, NCTM, Rome and Secretary General of ICF; and Introduction: Stewart Dresner, Chief Executive, Privacy Laws & Business

9.30 Governance of the data protection function Matteo Colombo, President, ASSODPO and CEO, Labor Project, Como, and other company participants perspectives

1. Strategic role of Data Protection Officers in companies: The human

rights, employment and consumer law context 2. Planning the position of a Data Protection Officer in your organisation:

Level of authority, reporting lines, boundaries, skill set, personal qualities

3. Operational context: Legal, compliance, risk, audit, training,

certification, qualifications, other responsibilities, communications skills, internal appointment/ external appointment. Requirement to be based in Italy?

4. Ensuring that the Data Protection Officer is consulted on innovations

in the organisation, for example, fingerprint identification for access to bank services.

10.00 Discussion 10.15 Marketing and telemarketing: Gaining consent for use of personal data Lorella Bianchi, Luca Natali, Luana Patti, Olga Sesso Sarti, Silvia Soria from the Legal

Matters (Electronic Networks, Marketing, e-Commerce) Department, the Garante. Responses

by Fabrizio Vigo, CEO, Consodata, and Chairman, Direct Marketing Association, Italy; and

Lorenzo Cristofaro, lawyer, NCTM, Rome

1. Distinction between legitimate marketing and unwanted spam

2. The Garantes decision of 22 May 2014 on the collection and use of personal data from mobile transactions for other purposes (published on 17th June 2014 Doc. 3203981)

3. The Garantes sweep of health related apps. The Garantes next app

priority?

4. How to manage opt-outs (operation of opt-out register in Italy)

5. Call centres based outside Italy or outside the European Economic Area. Advance notification to the Garante 120 days before the outsourcing begins (Art. 24 bis Law no. 134/2012).

6. Garantes injunction (20 February 2014) on silent calls



4

7. Examples of complaints to the Garante leading to inspections and sanctions

8. The Garantes Recommendation for companies offering a Global

Positioning System 10.45 Discussion 11.10 Coffee

11.30 Data breach notification Luigi Montuori, Head of Legal Matters (Electronic Networks, Marketing, e-Commerce) Department, the Garante; and Anna Cataleta, Director, Privacy, 3, the mobile telecom operator, the H3G Group; Andrea Marini, Head of Regulatory Affairs, Vodafone Italia

1. Compulsory data breach notification for telecommunications companies and Internet Service Providers 2. Data breach notification likely to be included in the EU Data Protection Regulation for all sectors 3. The Garantes instruction to banks (n.192 of 12 May 2011 Section 5) 4. Who is responsible when data breaches occur from an outsourced cloud service? 5. Garantes experience? Case law? Companies experience?

11.50 Discussion

12.00 Enforcement of the Garantes decisions DP law inspections by the Garante and/or the Guardia di Finanza. Preparing, performing the inspections, and assessing the results Francesco Modafferi, Head of Inspection Department, the Garante, and Colonel Luciano Lizzi, Head of the Privacy Squad of Guardia di Finanza (Financial Police); and Adriano DOttavio, lawyer, NCTM, Rome

1. Garante inspection alone; Guardia di Finanza alone? By both?

Rationale for choice of inspectors. Differences in inspection methods?

2. Advance information time scale, scope, which staff should be available?

3. Type of inspection staff

4. Powers to demand information. Any exceptions?

5. Requesting information

6. Powers to remove equipment. When? In which circumstances?

7. Timetable for Garantes report to be published. Draft report for

publication for advance discussion with the company? Publication of report and other types of publicity



5

8. Setting of priorities for inspections by the Garante

9. Role for a 3rd party audit to assess level of compliance in an

organisation? If the Garante has received many complaints about an organisation or a few serious complaints, would the Garante sometimes choose a 3rd party audit company to conduct an audit instead of a traditional Garante/Guardia inspection? Would the choice of 3rd party auditor be taken jointly by the organisation and the Garante?

10. Garantes sanctions in different circumstances: Ban on processing,

administrative enforcement, notices, fines, refer companies to the judicial authorities

11. Companies and other organisations perceptions of the Garantes

sanctions Adriano DOttavio, lawyer, NCTM, Rome

12. How companies have appealed against the Garantes fines

13. The impact of publicity about the Garantes fines on a companys reputation

12.45. Discussion 13.00 Lunch 14.00 Preparing for the EU Data Protection Regulation Bruno Gencarelli, Head of the Data Protection Unit, Directorate-General Justice and Consumers, European Commission, Brussels; Allegra Migliorini, Chair of the EU Council of Ministers DP Regulation (DAPIX) Committee under Italys EU Presidency and Magistrate attached to Judicial Cooperation Office (General Directorate for Criminal Justice), the Ministry of Justice, Rome; Antonio Caselli, EU and International Developments Unit, the Garante; Luca Bolognini, Founding Partner, ICT Legal Consulting, Rome and President, Istituto Italiano per la Privacy (IIP), Italian Institute for Privacy; Marco Bassini, Fellow, PhD Researcher in EU Constitutional Law, University of Verona; and comments from the participants

1. The current status of the negotiations

2. Preparing for the appointment of a mandatory Data Protection Officer

after adoption of the EU Data Protection Regulation: Recruiting the right type of person (not to be covered by Garante)

3. One stop shop/Cooperation between national Data Protection

Authorities within the European Economic Area

4. Data portability

5. Right to be forgotten/purpose limitation

6. The potential for collective actions in Italy, supported by a consumer organisation (*see note)



6

7. Other issues to be proposed in advance by the participants

Discussion

15.30 Break

15.50 Preparing for the EU Data Protection Regulation (Continued) Discussion

16.40 Concluding remarks

Rocco Panetta, Head of Privacy & IT Compliance, NCTM, Rome and Secretary General, ICF;

and Stewart Dresner, Chief Executive, Privacy Laws & Business, London

16.45 Close

Note: It may not be possible for the speakers to cover all points listed. However, the audience

is welcome to ask questions on any point on the programme.

* Note on collective action: What is the potential for collective actions in Italy, supported by a consumer organisation, for example, Altroconsumo and Consumatori Italiani per l'Europa (CIE). Italys law and consumer code includes a provision on collective action which has recently been amended to make it easier to launch an action against a company. Such a case is a business risk of time and reputation even if a complaint is sometimes without foundation and the complainants would find it difficult to make a successful case on privacy issues. Note by the Garante: The current EU Data Protection draft Regulation includes a provision on collective action as a form of redress. While the result is unlikely to result in a US-style class action culture, a milder form of collective action in Europe is on the agenda. The draft Regulation envisages collective representation by an association or similar body upholding data subjects rights much disputed as an issue.

Stewart Dresner, Chief Executive

Privacy Laws & Business E-mail: [email protected]

Tel: +44 (0) 208 868 9200 www.privacylaws.com/Events/Privacy-Officers-Network/Roundtable-with-the-Garante/

2nd Floor, Monument House, 215 Marsh Road, Pinner, Middx, HA5 5NE, United Kingdom 20 February 2015

Partners

1. Italian Compliance Forum http://www.italiancomplianceforum.com/?p=97

2. Associazione Data Protection Officer www.assodpo.it

3. L'Associazione Nazionale per la Difesa della Privacy (National Association for the Defence of Privacy - ANDIP) for information on training and consulting in the field of privacy) www.andip.it

4. Istituto Italiano per la Privacy (IIP), (Italian Institute for Privacy) www.istitutoitalianoprivacy.it

roundtable with the garante

Documents