As many may know, starting from 25 May 2018, the 2016/679 EU Regulation, known as GDPR (General Data Protection Regulation) - relating to the protection perosnal data will be directly applicable in all Member States.





In a nutshell, the GDPR:

  • introduces clearer rules on information and consent;
  • defines the limits to the automated processing of personal data;
  • lays the foundation for the exercise of new rights;
  • establishes strict criteria for the transfer of these outside the EU;
  • sets strict rules for data breach cases.

Theses rules also apply to companies located outside the European Union that offer services or products within the EU market. All companies, wherever established, will therefore have to respect the new rules. Companies and institutions will have more responsibility and case of non-compliance with the rules risk heavy penalties.

The "One Stop Shop"

To solve any difficulties, the "one stop shop" rule has been introduced, which will simplify the management of treatments and guarantee a uniform approach. Companies operating in several EU countries may contact the Privacy Guarantor of the country where they have their headquarters.

Data portability

The regulation introduces the right to "portability" of personal data to transfer them from one data controller to another. The rule is an exception in cases where the data are contained in archives of public interest, such as the registry offices. In this case, the right can not be exercised, as is the transfer of personal data to non-EU countries or international organizations that do not meet the security standards for protection.

The principle of "accountability"

There are other important elements of novelty. In fact, the accountability of the data controllers (accountability) has been introduced and an approach that takes into greater consideration the risks that a particular processing of personal data may entail for the rights and freedoms of the interested parties. This new right will facilitate the transition from one service provider to another, facilitating the creation of new services, in line with the Digital Single Market strategy.

Data breach

The data controller must report any violation of personal data to the Guarantor. Responding effectively to a data breach requires a multidisciplinary and integrated approach and greater cooperation at EU level. The current approach has numerous flaws that need to be corrected. It is not simple but it is necessary to do so in order not to lose the opportunity provided by the GDPR. The first fulfillment to be put in place for Italian companies is certainly the adoption of the Register of processing of personal data, but even before the bureaucratic queries, the company must understand the importance and value of the data, as well as the huge economic damage due to a loss of information If the data breach poses a threat to people's rights and freedoms:

The owner must inform all interested parties in a clear, simple and immediate manner and offer indications on how he intends to limit the damages;

You may decide not to inform interested parties if you believe that the violation does not pose a high risk for their rights or if they demonstrate that they have already taken security measures; or, finally, in the eventuality in which to inform the interested ones could involve a disproportionate effort to the risk. In this last case it will have to provide with a public communication;

The Guarantor Authority may in any case require the data controller to inform the data subjects on the basis of an assessment of the risks related to the violation committed.

The figure of the DPO (Data Protection Officer)

It is no coincidence that the figure of the "Data Protection Officer" (Data Protection Officer or DPO) was set up, responsible for ensuring the correct management of personal data in companies and institutions and identified according to professional qualities and specialized knowledge of the legislation and data protection practice.

The Data Protection Office reports directly to the company’s summit and is independent, as it does not receive instructions regarding the execution of the tasks.

In reality there are still too many doubts on the figure of the DPO is. It is a relevant figure, but certainly it is not the "center" of the system established by the GDPR, which in the new system is always the Data Controller. The DPO must have a specific competence "of the regulations and practices concerning personal data as well as the administrative rules and procedures that characterize the sector". It is no less important, however, that it also has "professional qualities appropriate to the complexity of the task to be performed" and, especially with reference to sensitive sectors such as health, can also demonstrate specific competences with respect to the types of treatment put in place to the holder. The decision-making autonomy and the extraneousness of the DPO with respect to the determination of the purposes and methods of data processing is equally important if we want to return to those affected that sovereignty over the circulation of their data.

Elena Ferrante. Between the "Right to be Forgotten" and Privacy.


“I don’t hate lies, I find them healthy and I use them to hide my person”. 
Thus, it’s written in the autobiography entitled La Frantumaglia by the famous and mysterious Elena Ferrante, whose identity seems to be revealed today.
The author of books become bestsellers is, according to a recent 24Ore’s report, Anita Raja, a translator born in Naples and resident in Rome, whose mother was a Polish Jew escaped from Holocaust. Therefore, the mystery of Elena Ferrante seems to be resolved. Thus, the millions of readers’ (lawful?) dream, who wish to know the name and person behind the famous pseudonym, finally come true.
Firstly, the question is if the report has violated the right of pseudonym. The pseudonym indeed can be used to conceal its true identity, so as an expression of privacy right.
According to Civil Code, pseudonym is a name different from the one attributed by law. However, it can be protected as well as the right to have a name, provided that the pseudonym has achieved the name’s importance otherwise it has carried out the same social identification’s function. If this requirement occurs, (i.e. writers and actors whose pseudonyms are more famous than their name) the person who use pseudonym can demand a restraining order and claim the termination of the pseudonym’s unlawful use, without prejudice to compensation.
However, it doesn’t seem to be the case. The Sole 24ore’s report indeed doesn’t infringe the famous writer’s pseudonym, on the contrary it seems to violate her right to anonymity. The problem is that according to Italian legal system, the general right to anonymity doesn’t exist.
Could Elena Ferrante, who has always said that she doesn’t want to reveal her real identity, invoke protection of Privacy Right (that it is increasingly being denied to public figures)?
Before Privacy Law entered into force, the source of the right to be left alone was a 1975 Italian High Court judgment, that describes this right as the protection of personal and family situations and events which, although they occur outside domestic context, they don’t have a socially valuable public interest. Therefore, violation of right to privacy means any interference that, even if it is carried out by lawful means and for non-offensive purposes, is not justified by reasonable public interests.
Eventually, jurisprudence specified that famous people are supposed to have waved to the part of Privacy Right which is connected to the public context.
Therefore, the line between the right to privacy and the right to information seemed to be the subject’s fame. However, even very popular people retain the privacy right, limited to facts which have nothing to do with the reasons for their popularity. 
The relationship between the right to report and privacy right is very complex and it is regulated by a set of rules stratified over time which have tried to establish a proper balance between the different interests.
There are several privacy rules that journalists have to respect.
The 675/1996 Law regarding Personal Data Protection, then become “Italian Personal data Protection Code” (Legislative Decree no. 196 of 30 June 2003), has created an extensive system of balancing conflicting rights through the provision of several legal means: balancing policies, procedures to accomplish it, jurisdictional instruments.
Italian Law provides different guarantees depending on the nature of Data. Briefly, the use of Personal Data is possible if three conditions are met:
­    The use of Personal Data shall be related to freedom of expression
­    Personal Data shall concern public interest facts
­    the spread shall occur "within essential limits", that is, it is not possible to insert non-strictly necessary information.

The report on the true identity of Elena Ferrante has not been clearly neither confirmed nor disproved. Therefore, if she is really Anita Raja is still a mystery.