MENU
Unione Europea

GDPR: approved!

The new European Privacy Regulation comes into force

The General Data Protection Regulation (GDPR) that entered into force on 25 May 2018 has become binding for all companies operating in the EU. Since 2004, the Privacy Code (Legislative Decree 196/2003) provides that the conclusion of a contract or the conclusion of an online transaction are subject to the provision of an authorization to process personal data that may also be expressed in tacit form, the so-called silence consent.

The GDPR innovates this point by establishing that the consent must be free, specific, unequivocal but above all informed.

The privacy policy must include the identification data of the data controller and of the DPO, as well as a contact address. The purpose, method and duration of the use must be indicated, as well as if the information is transferred abroad, to which subjects it may be communicated, the legal basis, the optional or compulsory nature of the consent and the rights of the subject (portability, cancellation, rectification, opposition). A violation by the data controller is enough to trigger an investigation by the Guarantor Authority that can lead to heavy penalties. The subscriber must not be led to give consent by deception and the expression of will must be made by written declaration, by electronic means, or verbally (with a recording). At any time, the interested party must be able to exercise the right to revoke the consent.

The GDPR stresses the importance of verifiability by placing the burden of proving that the consent has actually been given on the data controller.