By the acronym GDPR (General Data Protection Regulation) we refer to the General Data Protection Regulation No. 2016/679, which came into effect on May 24, 2016 and was made applicable as of May 25, 2018.
The GDPR constitutes the main regulatory text on the processing of personal data.
It stems from special needs for legal certainty and simplification of regulations on the processing of personal data.
Regulatory simplification and harmonisation, but that’s not all: the need for a new regulatory text also stems from the need to meet the new challenges posed by digital innovation and to protect privacy and personal data in the face of it.
As specified, including by the European Union, the GDPR was in fact born pursuing the following objectives:
- unify and harmonise personal data protection regulations among different countries in the Union;
- respond to the new data protection requirements that have arisen as a result of increasing digital innovation and transformation;
- increase European citizens’ confidence in the new digital society and its public and private actors.
If we were to simplify GDPR into a few points, here are the main ones:
- the concept of owner empowerment is inserted;
- higher amounts for administrative fines are defined depending on the provisions violated;
- we introduce the concepts of “privacy by design,”risk-based approach”, “adequacy of security measures”, “impact assessment,” but especially “data breach”;
- more stringent rules are outlined for the selection and appointment of a controller and any sub-controllers;
- the mandatory appointment of a Data Protection Officer is introduced in some cases;
- clearer rules on disclosure and consent are defined;
- the category of rights to which the data subject is entitled is expanded;
- even stricter criteria are established for the transfer of data outside the European Union.
Since it is a Regulation, the GDPR has been implemented in the same way in all member states of the union.
In Italy, in fact, on September 19, 2018, Legislative Decree No. 101 of August 10, 2018 came into force, which introduced the provisions for the adaptation of Italian legislation to the GDPR.
