Privacy Laws & Business Privacy Officers Network

Roundtable with the Garante:

Managing data protection law risks to your business in Italy
24th-25th March 2015
Host: NCTM, Rome
Via delle Quattro Fontane 161 - 00184 Roma (a few metres from the Barberini metro station)
Simultaneous Italian-English and English-Italian interpretation will be provided

Programme
Day 1
13.30 Registration
14.00 Welcome by host: Rocco Panetta, Head of Privacy & IT Compliance, NCTM, Rome
and Secretary General, Italian Compliance Forum (ICF)
14.05 Introduction: Stewart Dresner, Chief Executive, Privacy Laws & Business
14.15 The Garantes perspective: Augusta Iannini, Vice-President, Garante
14.45 Discussion with Augusta Iannini
15.15 International transfers of personal data
Sabina Kirschen, Legal Matters (Private Sector) Department, the Garante and
Angelo Monoriti, lawyer, NCTM, Rome

1. The Garante as a lead authority and co-leader for BCR applications

2. What the Garante requires for a successful BCR application. Any
additional provisions required for processing?
3. Company experience of applying for a BCR with the Garante as
co-leader - Angelo Monoriti, NCTM, Rome
4. The Garantes attitude to the EU attempts to reform the US Safe
Harbor
5. Is consent a valid basis for international transfers of personal data in
some circumstances?
6. The use of the EUs Standard Contractual Clauses for sub-processors
in Data Transfer Agreements
7. Other issues on international transfers?
15.35 Discussion

Roundtable with the Garante: Managing data protection law risks to your business in Italy
Rome, 24-25th March 2015 Privacy Laws & Business www.privacylaws.com

15.45 Break
16.10 Employment law and data protection law: Balancing managements need
for control and workers rights
Valentina Gagliardi, Head of Occupational Matters (Private & Public Sectors) Department, the
Garante and response by Avv. Paolo Todaro, Rucellai & Raffaelli, Rome and Alberto Quarti,
Data Protection Officer, ATB SpA, Bergamo

1. Control of workers by means, for example, of telephone, e-mail, and

computer-based technique s. Private use of office equipment, for
example, computers and telephones. Recent case law in Italy.
2. Remote working (telelavoro). Security measures to be adopted by
employees to protect business data. Remote control of employees
performance
3. Bring Your Own Device. Accessing e-mails via the Internet
4. Preventing the loss and misuse of personal data
5. What happens when an employee leaves and takes client data?
6. Surveillance in the work place - Alberto Quarti, Data Protection Officer,
ATB SpA, Bergamo,
Geolocation/Video surveillance. This privately owned but public bus
service uses video and GPS to track buses, speed and behaviour of
drivers and passengers. It is the first example of the Garantes prior
checking and prior notification process for use of video and GPS in a
workplace. Accepted on basis of proportionate control to monitor
behavior. Implications for other sectors.
7. Managements negotiations with labour unions
8. Notification to Garante needed for biometric identification in the work
place. How should companies prepare?
9. What the Garante expects in the prior checking process in order to
give approval to a process it considers to be risky.
10. Reform of labour law and its impact on data protection law
16.50 Discussion with the participants
17.20 Concluding remarks: Rocco Panetta, Head of Privacy & IT Compliance, NCTM,
Rome and Secretary General of ICF; and Stewart Dresner, Chief Executive, Privacy Laws &
Business

17.30 Close: Day 1

19.30 Dinner (Restaurant near the NCTM office. All speakers and others participants
invited. The dinner is included in the Roundtable fee but reservation in advance is
necessary).

Roundtable with the Garante: Managing data protection law risks to your business in Italy
Rome, 24-25th March 2015 Privacy Laws & Business www.privacylaws.com

Day 2

9.00 Registration and coffee

9.25 Welcome by host: Rocco Panetta, Head of Privacy & IT Compliance, NCTM, Rome
and Secretary General of ICF; and Introduction: Stewart Dresner, Chief Executive, Privacy
Laws & Business

9.30 Governance of the data protection function

Matteo Colombo, President, ASSODPO and CEO, Labor Project, Como, and other company
participants perspectives

1. Strategic role of Data Protection Officers in companies: The human

rights, employment and consumer law context
2. Planning the position of a Data Protection Officer in your organisation:
Level of authority, reporting lines, boundaries, skill set, personal
qualities
3. Operational context: Legal, compliance, risk, audit, training,
certification, qualifications, other responsibilities, communications
skills, internal appointment/ external appointment. Requirement to be
based in Italy?
4. Ensuring that the Data Protection Officer is consulted on innovations
in the organisation, for example, fingerprint identification for access to
bank services.
10.00 Discussion
10.15 Marketing and telemarketing: Gaining consent for use of personal data
Lorella Bianchi, Luca Natali, Luana Patti, Olga Sesso Sarti, Silvia Soria from the Legal
Matters (Electronic Networks, Marketing, e-Commerce) Department, the Garante. Responses
by Fabrizio Vigo, CEO, Consodata, and Chairman, Direct Marketing Association, Italy; and
Lorenzo Cristofaro, lawyer, NCTM, Rome

1. Distinction between legitimate marketing and unwanted spam

2. The Garantes decision of 22 May 2014 on the collection and use of
personal data from mobile transactions for other purposes (published
on 17th June 2014 Doc. 3203981)
3. The Garantes sweep of health related apps. The Garantes next app
priority?
4. How to manage opt-outs (operation of opt-out register in Italy)
5. Call centres based outside Italy or outside the European Economic
Area. Advance notification to the Garante 120 days before the
outsourcing begins (Art. 24 bis Law no. 134/2012).
6. Garantes injunction (20 February 2014) on silent calls

Roundtable with the Garante: Managing data protection law risks to your business in Italy
Rome, 24-25th March 2015 Privacy Laws & Business www.privacylaws.com

7. Examples of complaints to the Garante leading to inspections and

sanctions
8. The Garantes Recommendation for companies offering a Global
Positioning System
10.45 Discussion
11.10 Coffee
11.30 Data breach notification
Luigi Montuori, Head of Legal Matters (Electronic Networks, Marketing, e-Commerce)
Department, the Garante; and Anna Cataleta, Director, Privacy, 3, the mobile telecom
operator, the H3G Group; Andrea Marini, Head of Regulatory Affairs, Vodafone Italia

1. Compulsory data breach notification for telecommunications

companies and Internet Service Providers
2. Data breach notification likely to be included in the EU Data Protection
Regulation for all sectors
3. The Garantes instruction to banks (n.192 of 12 May 2011
Section 5)
4. Who is responsible when data breaches occur from an outsourced
cloud service?
5. Garantes experience? Case law? Companies experience?
11.50 Discussion
12.00 Enforcement of the Garantes decisions DP law inspections by the
Garante and/or the Guardia di Finanza. Preparing, performing the inspections,
and assessing the results
Francesco Modafferi, Head of Inspection Department, the Garante, and Colonel Luciano
Lizzi, Head of the Privacy Squad of Guardia di Finanza (Financial Police); and Adriano
DOttavio, lawyer, NCTM, Rome

1. Garante inspection alone; Guardia di Finanza alone? By both?

Rationale for choice of inspectors. Differences in inspection methods?
2. Advance information time scale, scope, which staff should be
available?
3. Type of inspection staff
4. Powers to demand information. Any exceptions?
5. Requesting information
6. Powers to remove equipment. When? In which circumstances?
7. Timetable for Garantes report to be published. Draft report for
publication for advance discussion with the company? Publication of
report and other types of publicity
Roundtable with the Garante: Managing data protection law risks to your business in Italy
Rome, 24-25th March 2015 Privacy Laws & Business www.privacylaws.com

8. Setting of priorities for inspections by the Garante

9. Role for a 3rd party audit to assess level of compliance in an
organisation? If the Garante has received many complaints about an
organisation or a few serious complaints, would the Garante
sometimes choose a 3rd party audit company to conduct an audit
instead of a traditional Garante/Guardia inspection? Would the choice
of 3rd party auditor be taken jointly by the organisation and the
Garante?
10. Garantes sanctions in different circumstances: Ban on processing,
administrative enforcement, notices, fines, refer companies to the
judicial authorities
11. Companies and other organisations perceptions of the Garantes
sanctions Adriano DOttavio, lawyer, NCTM, Rome
12. How companies have appealed against the Garantes fines
13. The impact of publicity about the Garantes fines on a companys
reputation
12.45. Discussion
13.00 Lunch
14.00 Preparing for the EU Data Protection Regulation
Bruno Gencarelli, Head of the Data Protection Unit, Directorate-General Justice and
Consumers, European Commission, Brussels;
Allegra Migliorini, Chair of the EU Council of Ministers DP Regulation (DAPIX) Committee
under Italys EU Presidency and Magistrate attached to Judicial Cooperation Office (General
Directorate for Criminal Justice), the Ministry of Justice, Rome;
Antonio Caselli, EU and International Developments Unit, the Garante;
Luca Bolognini, Founding Partner, ICT Legal Consulting, Rome and President, Istituto Italiano
per la Privacy (IIP), Italian Institute for Privacy;
Marco Bassini, Fellow, PhD Researcher in EU Constitutional Law, University of Verona;
and comments from the participants

1. The current status of the negotiations

2. Preparing for the appointment of a mandatory Data Protection Officer

after adoption of the EU Data Protection Regulation: Recruiting the

right type of person (not to be covered by Garante)
3. One stop shop/Cooperation between national Data Protection
Authorities within the European Economic Area
4. Data portability
5. Right to be forgotten/purpose limitation
6. The potential for collective actions in Italy, supported by a consumer
organisation (*see note)

Roundtable with the Garante: Managing data protection law risks to your business in Italy
Rome, 24-25th March 2015 Privacy Laws & Business www.privacylaws.com

7. Other issues to be proposed in advance by the participants

Discussion
15.30 Break
15.50 Preparing for the EU Data Protection Regulation (Continued)
Discussion
16.40 Concluding remarks
Rocco Panetta, Head of Privacy & IT Compliance, NCTM, Rome and Secretary General, ICF;
and Stewart Dresner, Chief Executive, Privacy Laws & Business, London
16.45 Close
Note: It may not be possible for the speakers to cover all points listed. However, the audience
is welcome to ask questions on any point on the programme.
* Note on collective action: What is the potential for collective actions in Italy, supported by
a consumer organisation, for example, Altroconsumo and Consumatori Italiani per l'Europa
(CIE). Italys law and consumer code includes a provision on collective action which has
recently been amended to make it easier to launch an action against a company. Such a case
is a business risk of time and reputation even if a complaint is sometimes without foundation
and the complainants would find it difficult to make a successful case on privacy issues.
Note by the Garante: The current EU Data Protection draft Regulation includes a provision
on collective action as a form of redress. While the result is unlikely to result in a US-style
class action culture, a milder form of collective action in Europe is on the agenda. The draft
Regulation envisages collective representation by an association or similar body upholding
data subjects rights much disputed as an issue.

Stewart Dresner, Chief Executive

Privacy Laws & Business
E-mail: stewart.dresner@privacylaws.com
Tel: +44 (0) 208 868 9200
www.privacylaws.com/Events/Privacy-Officers-Network/Roundtable-with-the-Garante/
2nd Floor, Monument House, 215 Marsh Road, Pinner, Middx, HA5 5NE, United Kingdom
20 February 2015

Partners
1.

Italian Compliance Forum http://www.italiancomplianceforum.com/?p=97

2.

Associazione Data Protection Officer www.assodpo.it

3.

L'Associazione Nazionale per la Difesa della Privacy (National Association

for the Defence of Privacy - ANDIP) for information on training and
consulting in the field of privacy) www.andip.it

4.

Istituto Italiano per la Privacy (IIP), (Italian Institute for Privacy)

www.istitutoitalianoprivacy.it

Roundtable with the Garante: Managing data protection law risks to your business in Italy
Rome, 24-25th March 2015 Privacy Laws & Business www.privacylaws.com