Italy Data Breach Response Plan: Notification Obligations and Consequences

Introduction

Italy has a robust data breach response plan in place, with notification obligations and consequences outlined under the General Data Protection Regulation (GDPR) and national laws. This article provides an overview of the legal requirements for notifying affected individuals or regulators in the event of a data breach affecting residents of Italy.

Notification Obligations

Under Article 33 of the GDPR, notification of personal data breaches to the Italian Data Protection Authority (DPA) is mandatory. Communication with affected individuals is governed by Article 34. The Italian regulatory framework in this matter is governed by the relevant GDPR provisions.

Conditions for Notification

Notification is required when a personal data breach occurs, affecting the confidentiality, integrity, or availability of personal data processed under the responsibility of a controller or processor. The entity must be a controller or processor in Italy for these obligations to apply.

Required and Suggested Content, Time Period, and Method

The notice shall contain the information listed in Article 33(3) of the GDPR, excluding details on the affected data subjects. Notification must be given without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.

• The notification must be sent to the Italian Data Protection Authority by certified e-mail or ordinary email, signed digitally or with a handwritten signature.
• A copy of the signatory’s identity document must be included.
• A standard form provided by the DPA may also be used for filing notifications.

Penalties and Fines

According to Article 83(4) lit. a) of the GDPR, failing to notify is subject to administrative fines up to EUR 10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Additionally, failing to notify may result in a fine and strict liability in tort action.

Notification Recommendations

Even if there is no current legal obligation, notification is still recommended. According to the territorial scope set forth by Article 3 of the GDPR, the relevant provisions apply, in general, to the processing of personal data of data subjects who are in the Union (including Italy), regardless of whether the data controller or processor is located in the same country as the data subjects.

Applicable Data Protection Laws and Guidelines

The main national data protection laws and regulations include:

• Personal Data Protection Code
• Legislative Decree no. 196/2003, as subsequently amended by the Legislative Decree no. 101/2018
• Network and Information Systems Security (NIS) Directive implemented through Legislative Decree no. 65/2018
• Provision on the notification of personal data breaches issued by the Italian Data Protection Authority

Contact Information for the Local Data Protection Authority

• Name: Garante per la protezione dei dati personali
• Address: Piazza Venezia n. 11 – 00187 Rome, Italy
• Telephone: +39 06 6967 71
• Fax: +39 06 6967 73785
• Email: garante@gpdp.it
• Certified email: protocollo@pec.gpdp.it
• Website: www.garanteprivacy.it

For More Information

Contact:

• Name: Daniele Vecchi
• Firm: Gianni, Origoni, Grippo, Cappelli & Partners
• Address: Piazza Belgioioso, 2 20121, Milan, Italy
• Telephone: +39 02 7637 41
• Fax: +39 02 7600 9628
• Email: dvecchi@gop.it
• Website: www.gop.it