The main news of the GDPR
The main innovations introduced concern the updating of privacy documents and the method of requesting consent, the introduction of new documents and processes regarding the collection, organization, and protection of data and new subjects to be appointed. Let’s see point by point all the GDPR requirements for privacy.
The privacy information must always be provided in case of collection of personal data, before processing.
In addition to all the data already mandatory, it must include:
- the data retention period
- the purposes of the processing (e.g. marketing purposes)
- the data of the person responsible for the protection of personal data, if appointed
- the right to withdraw consent.
Even the cookie information must always be provided before using non-technical cookies.
Both the information and the banners will have to be rewritten taking into account:
- that consent must be provided through affirmative action (e.g. ticking a box in the extended information, etc.);
- that the user must have the possibility to modify their choices on cookies through the extended information;
- if the site uses profiling cookies to send targeted advertisements;
- if the analytical cookies are made available by third parties, you are not subject to obligations if:
– tools are adopted that reduce the identification power of users
– the third party undertakes not to cross-reference the information obtained from the cookies with others it already has collected.
3. Request for consent
The consent must be requested prior to the processing of personal data. Consent is not required if the processing is necessary:
- for the execution of the contract or a legal obligation
- for public utility needs
- to exercise a legitimate interest (eg for some types of direct marketing), in the event that the vital interests of the data subject or of another natural person are to be safeguarded.
The interested party must be left free to decide whether to give consent to the processing of their data. If he wants to refuse consent, he must not be prevented from concluding the contractor from continuing to use the service. In particular, consent must be collected:
- separately from other documents e
- specifically, for each purpose of the processing (e.g. separate form, specific check box, etc.)
4. Register of treatments
The Register of processing activities, which contains all information relating to the processing of personal data, is mandatory for companies/organizations with at least 250 employees. If less than 250 employees, it is only due when the treatment:
- involves risks for the rights and freedoms of the data subject
- it is not occasional
- it concerns “sensitive data” or relating to criminal convictions or offenses
The personal data must be collected and organized in a lawful, fair and transparent. For this purpose, the GDPR has introduced this new document that the Data Controller and the Data Processor must always keep updated.
5. Impact Assessment
The Impact Assessment is an analysis of the data and related processing that must be carried out before proceeding with the processing in order to identify potential risks to data protection. It is due in the case of:
- treatment which involves, in particular, the use of new technologies
- processing involving high risk for the rights and freedoms of natural persons
- systematic evaluation of personal data with decision-making processes based solely on automated data processing
- large-scale processing of sensitive data or data relating to criminal convictions or offenses
- systematic large-scale surveillance of a publicly accessible area
- other cases that may be established by the Privacy Guarantor.
It is a novelty introduced by the GDPR in order to make those who process personal data responsibly and verify the risks for the interested parties.
6. Subjects to be appointed
It is necessary to appoint some subjects who collaborate with the Data Controller to manage personal data in order to ensure that the treatments comply with the Regulation. These are:
- Representative of the Data Controller
To be appointed if the processing concerns personal data of data subjects who are located in the European Union, but the Data Controller or the Data Processor are located outside the Union. It is not necessary if the treatment is occasional.
Data Processor to be appointed when data processing is carried out externally on behalf of the Data Controller (through a specific act of appointment of the personal data processing manager).
- Responsible for the protection of personal data
To be appointed if the main activity consists of treatments:
– which, by their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale,
– which concern sensitive data o relating to criminal convictions or large-scale offenses,
– other cases that may be established by legislative decree.
They are new subjects who must be appointed if they participate in the processing of personal data with consequent responsibilities at their own expense.
7. Security Measures
The Data Controller and the Data Processor must adopt adequate technical and organizational measures to ensure a level of security appropriate to the risk.
The security measures must guarantee the confidentiality of the data. The aim is to empower those who process the data by requiring them to assess the adequacy of the measures to be adopted on a case-by-case basis on the basis of risks.
The Data Controller may also make use of codes of conduct and certifications, drawn up by competent associations and bodies, to demonstrate that they are in good standing.
How to create privacy documents updated to the GDPR?
You can customize and immediately download all the documents necessary to comply with the privacy legislation by answering a few simple guided questions:
- Treatment register
In addition, our GDPR Websites Adjustment Consultancy allows you to adapt your site or app to all the necessary obligations provided for by the new European privacy regulation. Through a specific analysis, we will indicate the necessary steps to enforce all aspects of your site to comply with the GDPR and avoid the penalties provided for in the event of privacy violations.