Data Privacy & Transfer in Investigations: Italy

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Italy

The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction.

Together with the GDPR, Legislative Decree 196/2003 (the Privacy Code), as lastly amended by Legislative Decree 101/2018, constitutes the main source of the data protection regime in Italy. Among other things, the Privacy Code implements derogations and sets out specific provisions as permitted by the GDPR.

The Garante per la protezione dei dati personali (the Garante) is the regulator responsible for enforcing the GDPR, the Privacy Code and all the other data protection provisions.

A number of provisions have particular relevance in the context of investigations. All processing must have a valid legal basis under GDPR. Establishing a legal basis, in the context of an investigation, is not always straightforward, particularly where investigations involve foreign authorities or courts and particularly where the data involved includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, in relation to both transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation. 

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Italy

Confidentiality

Under Italian law, a duty of confidentiality may arise from:

• specific confidentiality agreements;
• specific legislations, such as those governing industrial secrets; and
• principles of Italian contract law, such as the fairness principle in the execution of a contract or, according to a divergent opinion, the general principle of good faith in the performance of a contract.

Banking confidentiality

Italian laws do not contain specific provisions on bank confidentiality. However, there is a strict banks’ general duty of confidentiality towards their clients in relation to the safeguarding and protection of any customer data.

It is an implied term of the contract between a bank and its client that the bank will not divulge any confidential information about its client to any third party. This duty of confidentiality arises as a result of the bank-client relationship and it applies to all Italian banks, including Italian branches of foreign banks.

This duty of confidentiality arises from:

• customary market practice and usage;
• specific confidentiality agreements in force between the bank and its client;
• specific legislations, such as those governing industrial secrets; and
• principles of Italian contract law, such as the fairness principle in the execution of a contract or, according to a divergent opinion, the general principle of good faith in the performance of a contract.

Consequently, a restriction on data disclosure is an implied term in the contract between a bank and its client. Such restriction will apply to any bank with a (pre-)contractual relationship with a client, where such relationship is governed by Italian law. Nonetheless, there are exceptions to such duty of confidentiality, as in the case where a client has consented to such disclosure, the bank has to communicate such data to public entities to comply with specific legal obligations or the bank needs to use such information to exercise a right before a court.

Legal professional privilege

Under Italian law, there is a legal professional privilege between a lawyer and their client and it concerns the information provided by the client or acknowledged in the course of the lawyer’s mandate.

Once established, legal professional privilege is a substantive right to withhold disclosure of privileged documents and to prevent the lawyer from testifying on information acknowledged in the course of their mandate and/or during the preliminary activities before the official mandate. Italian law also provides for specific safeguards in the event of searches and seizure of documents in the lawyer’s premises, or interceptions concerning the object of the mandate.

Law on whistleblowing

Under Italian law, an employer that establishes a whistleblowing system must ensure that the identity of the whistleblower is kept confidential. The identity of the whistleblower must not be disclosed during the investigations, unless they have previously agreed to the disclosure or, according to court judgments, unless the disclosure is essential to ensure the right of defence of the person subject to the investigation.

Other

There are other laws and regulations relating to the sharing of data and cooperation between judiciary authorities in a criminal context, which may be relevant for the purposes of an investigation depending on the specific context.

3. What constitutes personal data for the purposes of data protection laws?

Italy

The GDPR defines personal data as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person.

Data that are truly anonymised will not be “personal data” for the purposes of the GDPR, as they do not identify the individual. Data are not truly anonymised if the data could re-identify the individuals to which the data relates by reasonably available means.

Data will not be truly anonymised if the data may re-identify the individuals to which the data relates by reasonably available means. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Italy

The Privacy Code does not expressly regulate its territorial scope of application. In absence of an express provision in this regard, we would tend to consider that the same criteria applied by the GDPR as to its territorial scope would be applicable to the Privacy Code. In other words, the Privacy Code may apply to:

• the processing of personal data in the context of the activities of an establishment of a controller or a processor in Italy, regardless of whether the processing takes place in Italy or not;
• the processing of personal data of data subjects who are in Italy by a controller or processor not established in Italy, where the processing activities are related to: (i) the offering of goods or services; or (ii) the monitoring of their behaviour as far as their behaviour takes place within Italy.

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Italy

Italian data laws address the processing of personal data in general, not specifically in the context of investigations. For example, the GDPR sets out a number of core data protection principles, with which controllers must comply, including in relation to an investigation.

A privacy notice should be provided to the data subject at the time the personal data is obtained (unless an exemption applies). In all circumstances, this must include (as per articles 13 and 14 of the GDPR):

• the identity and contact details of the controller;  
• the contact details of the data protection officer, where applicable; 
• the purposes and legal basis for the processing (including any legitimate interests relied upon where this is the legal basis for processing);  
• the categories of personal data concerned;  
• any recipients or categories of recipients of the personal data; and
• where applicable, the fact that the controller intends to transfer personal data to a third country, the existence (or absence) of an adequacy decision by the European Commission and, if there is no adequacy decision, the safeguards used for the transfer of that personal data.

The controller should also inform the data subject of: the period for which their personal data will be stored; the existence of the right to request access, rectification or erasure; the right to restrict the processing; the right to object to the processing; the right to data portability; the existence of automated decision making (including profiling); and the right to lodge a complaint with a supervisory authority.

If the personal data has been obtained directly from the data subject, article 13 of the GDPR will apply and the controller must also inform the data subject whether the provision of personal data is subject to a statutory or contractual requirement and of any potential consequences of failing to provide that personal data. 

It may be the case in an investigations context that personal data has not been obtained directly from the data subject. If this is the case, article 14 of the GDPR will apply, unless such application would jeopardise the investigations or it is expressly excluded by a provision of law, and the fair processing information given to data subject must also include the categories of personal data processed, the source of personal data and details of any personal data obtained from directly accessible sources.

The GDPR sets out a number of data protection principles that controllers must comply with. The first principle is that personal data must be processed “lawfully, fairly and in a transparent manner". This means that data cannot be processed unless there is a legal basis under article 6 of the GDPR. The following legal bases are available:

• the data subject has given his or her consent to the processing for one or more specific purposes;  
• the processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract;  
• the processing is necessary for compliance with a legal obligation to which the controller is subject;  
• the processing is necessary to protect the vital interests of the data subject or another natural person;  
• the processing is necessary for performing tasks in the public interest or in the exercise of official functions by the controller; or  
• the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

Generally, the legitimate interest is the legal basis which is relied upon in case of investigations.

In respect of sensitive data (or “special categories of personal data”), the processing must also comply with one of the stricter legal bases set out in article 9 of the GDPR. Sensitive data is defined as information relating to: racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data and biometric data for the purpose of uniquely identifying a natural person; data concerning health; and sex life and sexual orientation. The Privacy Code, in turn, sets out specific provisions applying to the processing of certain special categories of data (eg, genetic and biometric data) or certain processing purposes (eg, the processing is necessary for reasons of substantial public interest). In an investigations context, relevant conditions for the processing of sensitive data may include where:

• the individual has given their explicit consent to the processing for one or more specified purposes;
• the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
• the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.

The processing of data about criminal convictions and offences is dealt with separately to sensitive data, under article 10 of the GDPR. This provides that such data can only be processed where authorised under national law.

Furthermore, article 2-octies of the Privacy Code states that criminal data may not be processed otherwise than under the supervision of a public authority except where:

• there is a legal basis under article 6 GDPR; and
• such processing is authorised by a provision of law or, when provided by the law, of regulation providing for adequate safeguards for data subjects’ rights and freedoms.

In the absence of such provision, the Minister of Justice may issue a decree identifying the cases in which processing of criminal data is allowed. This decree has not been published yet.

Controllers must comply with the following data protection principles:

• Principle 1: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”, see above for further details on transparency requirements);
• Principle 2: personal data should be obtained only for specified, explicit and legitimate purposes and should not be further processed in any manner incompatible with those purposes (“purpose limitation”);  
• Principle 3: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);  
• Principle 4: personal data should be accurate and, where necessary, kept up to date (“accuracy”);  
• Principle 5: personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);  
• Principle 6: personal data should be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”); and
• The controller must also be able to demonstrate compliance with each of these principles (“accountability”). 

In addition, under Chapter V of the GDPR personal data may not be transferred to a country or territory outside the EEA unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Finally, the Garante set out a Code of Conduct for private investigations, including those performed by lawyers in the context of judicial proceedings, and Guidelines on the processing of special category of data by private investigators. Both of such sources, where applicable, may include more specific data processing provisions and instructions.

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Italy

In addition to what stated before, a company,  before starting an investigation, should ensure that it has all the requirements provided by Italian law in this regard. More specifically:

• if it intends to investigate on employees' devices or through the use of CCTV, it shall duly consider if, according to Italian labour law, an authorisation is needed for performing the investigation; and
• if the investigation is performed on employees' IT devices, it shall ensure that it had delivered to employees, in addition to the privacy notice, a policy on monitoring or on the appropriate uses of IT devices. Indeed, according to the Garante, it is important to ensure that employees are duly informed of the appropriate uses of IT devices and of the kinds of monitoring activities that may be performed.

Moreover, a company carrying out an internal investigation may share the data with a third party. Before sharing such data, the company shall ensure that the third party complies with data protection laws and regulations and it implements appropriate safety and organisational measures. If the third party is located outside the European Economic Area (EEA), the company shall comply with GDPR provisions on cross-border transfers.

Due care shall be given to the third party’s data protection role to understand whether it qualifies as: an independent controller; a joint controller; or a processor. Depending on the data protection role, the company may need to regulate the transfer by entering into appropriate data protection arrangements.

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Italy

The consent of the data subject is one legal basis for processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis exists.

There is no prescribed form for consent, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit. Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

In the case of sensitive data, where consent is relied on to provide a legal basis under article 9 GDPR, it must also be explicit. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

Consent can be also obtained through a website or other electronic means.

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Italy

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right that it is not possible to contract out of, which would be difficult to manage in the context of the investigation).

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Italy

No, it is unlikely that such consent is valid. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties.

Given the imbalance of power existing between the employer and the employee, it would be advisable to rely on an alternative lawful basis, such as the necessity to comply with a legal obligation or legitimate interest.

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Italy

There is no prescribed form for the consent, but it should be freely given, specific, informed and unambiguous. It is advisable to keep written records of consent given by data subjects.

Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject.

The controller should also consider the requirement for consent to the processing for sensitive data to be explicit.

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Italy

Right of access

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of the GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, they must also inform the data subject of the reason why and tell the data subject that they can complain to their relevant supervisory authority and enforce their right through judicial remedy.

Article 119 of the Italian Bank Consolidated Act provides that the client, his or her successor and the person who takes over the management of the client’s activity have the right to obtain, at their own expenses, within a reasonable time period and, in any case, no later than 90 days, copy of the documentation concerning single bank operation undertaken in the past 10 years.

Right of erasure

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a controller under the GDPR to ensure the personal data it keeps is accurate.

Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

Right to object

In certain circumstances, such as when a controller is relying upon their legitimate interests (or those of a third party) or the processing is necessary for performing tasks in the public interest or in the exercise of official functions, data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings. A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

The rights set out by articles 15–22 of the GDPR are also applicable to deceased persons’ data may be exercised by anyone that has an interest, acts on the data subject’s behalf as his or her representative or for family reasons deserving protection (article 2-terdecies of the Privacy Code).

The Privacy Code also provides for specific limitations to the above-mentioned GDPR rights.

A. Article 2-undecies of the Privacy Code provides that these rights may not be exercised by the data subject to the extent that the exercise may result in a concrete and effective prejudice to:

• the interests protected by the provisions regarding anti-money laundering;
• the interests protected by the provisions regarding support for victims of extortion;
• the activities of Parliamentary committees of inquiry;
• the activities carried out by a public entity, different from public economic bodies, pursuant to a specific law provision, for the only purposes regarding the monetary and currency policy, the payment system, the control of brokers and of the credit and financial markets, the protection of stability;
• the carrying out of defensive investigations or the exercise of a right before a court; 
• the confidentiality of the identity of the whistleblower; and
• the interests protected by the provisions regarding tax evasion.

B. Article 2-duodecies of the Privacy Code provides that the restriction of the rights provided for by articles 12-22 and 34 of the GDPR may occur also in case of processing for justice purposes.

In both the aforementioned situations under A and B, such rights are exercised pursuant to the related provisions of the applicable laws and regulations.

The exercise of the said rights may, under the circumstances described above, be postponed, limited or excluded by the controller through a reasoned communication provided to the data subject without delay, unless such communication undermines the aims of the limitation and as far as it constitutes a necessary and proportionate measure for the protection of the interests safeguarded by the above-mentioned set of laws.

The data subject may, in any case, exercise his rights by seeking a Garante’s assessment or inspection. The data subject must be informed of such possibility by the data controller (eg, through the reasoned communication by which it informs the data subject of the limitation to his or her rights).

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Italy

In principle, a privacy notice under articles 13 and 14 of the GDPR should include information in relation to potential investigation and identify investigators as a potential category of data recipients.

It may be the case in an investigations context that personal data has not been obtained directly from the data subject. If this is the case, article 14 of the GDPR will apply and the fair processing information given to data subject must also include the categories of personal data processed, the source of personal data and details of any personal data obtained from directly accessible sources.

Additional provisions of the GDPR apply where the data are processed by a processor on behalf of the controller. The primary factor considered is control of the data rather than its possession, so the controller must ensure that the third-party processor is complying with the requirements on the security of data set out in the GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 of the GDPR).

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Italy

A transfer of personal data to a third-party law firm for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the GDPR and the principles relating to the processing of personal data.

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Italy

The Italian National Lawyers’ Council suggests that law firms are generally characterised as controllers in their own right. This is on the ground that responsibility also lies with the law firm itself as it determines what information to obtain and process in order to perform its work .

Law firms are accountable for their own data protection breaches and infringements. If the breach depends on the client’s failure to comply with data protection law, this responsibility may be shared with the client.

15. What is the position and status of legal process outsourcing firms under data protection laws?

Italy

The law does not expressly qualify the legal process outsourcing firms’ position. Accordingly, their position should be assessed depending on the circumstances of the case. However, they are likely to be considered as data processors of the law firms who are in a position of data controllers.

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Italy

Disclosure of employees’ data

Article 4 of Law No. 300/1970 on remote monitoring of employees sets out some additional requirements as regards disclosure of employees’ data to third parties. In particular, article 4 of Law No. 300/1970 provides that it is generally forbidden for the employer to install or implement devices or software for the exclusive purpose of remotely monitoring employees’ activity at work. Accordingly, the employer may install the devices or software required only for productive or organisational needs and only upon reaching an agreement with local work councils or obtaining an authorisation with the local Labour Office, given the fact that such kinds of activities may result in employees’ remote monitoring.

However, recent amendments to article 4 of Law No. 300/1970 specified that no agreement or authorisation is required with regard to devices or machinery used by employees to perform their duties as long as the main aim of the controls is not to monitor employees’ activities and provided that the requirements set out by the data protection legislation are met. In this respect, article 4 of Law No. 300/1970 requires the employer to adequately inform its employees on the use of electronic devices and their business email account and on how their personal data is stored and processed through the privacy notice.

Furthermore, the Garante provides that monitoring of employees’ email, instant messaging and internet records can be performed only:

• incidentally and not on a continuous basis;
• if the checks are reduced to the minimum needed; and
• following the delivery of the privacy notice referred to above.

There is some Italian case law suggesting that monitoring employees’ emails can be lawfully performed by an employer where it has suspicion or notice of ‘misbehaviour’ by an employee. However, the investigatory actions performed should be reduced to the minimum needed to establish the relevant facts.

Other

The European Banking Authority issued guidelines on outsourcing arrangements that set out a series of recommendations that providers of financial services must adhere to in respect of any outsourcing to the cloud, including in respect of the security of data, where geographically data is located and processed and the importance of contingency planning.

Other useful indications relating to cloud services and their compliance with data protection law may be found, inter alia, in the EU Cloud Code of Conduct.

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Italy

The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from this jurisdiction to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within the jurisdiction.

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.

The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, United Kingdom and Uruguay.  

Alternatively, the controller as transferor could ensure an adequate level of protection through:

• entering into standard contractual clauses approved by the European Commission for both controller-to-processor and controller-to-controller transfers; or  
• for transfers within the same group, adoption of binding corporate rules.

In a judgment issued on 16 July 2020, the CJEU in “Schrems II”  held that the standard contractual clauses should be viewed as offering only the basic level of protection and they may only be used where the protection provided by the contract is not undermined in the particular circumstances. This means that controllers exporting personal data and looking to rely on standard contractual clauses approved by the European Commission must assess on a case-by-case basis whether additional safeguards (supplementary measures) are needed to remedy any identified deficiency and ensure adequate data protection. 

The European Data Protection Board (EDPB) has published recommendations on measures to supplement transfer tools (including standard contractual clauses) here.

The European Commission had issued an adequacy decision for recipients registered under the EU-US Privacy Shield framework in respect of their handling of personal data. However, in the judgment in Schrems II, the CJEU held the European Commission’s adequacy decision to be invalid and so data transfers cannot currently be made to the US on the basis of the EU-US Privacy Shield.

Data can otherwise be transferred if one of the following derogations, among others, applies:

• the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous);  
• the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;  
• the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;  
• the transfer is necessary for important reasons of public interest;  
• the transfer is necessary for the establishment, exercise or defence of legal claims; or  
• the transfer is necessary to protect the vital interests of the data subject.

Where none of the above derogations is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14, shall inform the data subject of the transfer and on the compelling legitimate interests pursued.

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Italy

The derogations most relevant to enable the international transfers of personal data in connection with investigations are that:

• the transfer is necessary for important reasons of public interest; and
• the transfer is necessary for the establishment, exercise or defence of legal claims.

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Italy

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing. In particular, a legal basis must be established under article 6 GDPR. 

While there is no specific exemption to the data transfer rules in the GDPR for transfer to a regulator or an enforcement authority within the jurisdiction, there are a number of possible exemptions and conditions that may be used for a transfer to regulators and enforcement authorities in the jurisdiction. These include where the disclosure is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Italy

The provisions applying to cross-border data transfer generally also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.

Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first data protection principle (including the requirement to establish a legal basis under article 6 GDPR) and prohibitions on cross-border transfers of personal data. In particular, the first principle provides that processing of personal data must be fair, lawful and transparent.

Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle on the basis that this is not a purpose about which the data subjects will have been sufficiently informed. The GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.

The cross-border transfer of personal data would additionally require safeguards for the relevant transfer and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

The transfer may lack a legal basis, depending on the circumstances of the processing. The possible legal bases that a controller may rely on in this context include:

• the consent of each affected data subject to the disclosure and transfer. However, as noted above, this can be problematic to obtain, can be withdrawn at any time and (in the case of sensitive data) consent must be explicit;
• that the processing is necessary for the establishment, exercise or defence of legal claims, depending on the circumstances;
• that the processing is in the legitimate interests of the controller; or
• that the processing is necessary for the performance of a task carried out in the public interests.

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.

This article provides that, without prejudice to other grounds for international transfers, a decision from a third country authority, court or tribunal does not in itself justify the transfer of personal data to a non-EEA country.

This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48: "In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement."

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Italy

The recipient of such a request may consider taking the following steps, among others:

• Consider if there is a legal obligation to respond to the request and, if so, to what extent.  
• Seek further information in writing from the requesting regulator to evaluate the purpose of the request.  
• If possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation.  
• In accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose.  
• Consider whether it is practicable to obtain data subject consent and/or give a further privacy notice.
• Put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor).
• Consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

22. What are the sanctions and penalties for non-compliance with data protection laws?

Italy

There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement. 

The Privacy Code also extends the administrative fines provided by the GDPR to a series of infringements of its provisions (eg, provisions concerning the processing of data related to criminal convictions and offences or concerning the rights of deceased people).

Furthermore, there are a number of criminal offences under the Privacy Code (eg, making false statements or submitting false documents during proceedings or investigations before the Garante). The maximum penalty for criminal offences under the Privacy Code corresponds to six years of imprisonment.

Article 2-decies of the Privacy Code also establishes that data processed in violation of data protection legislation must not be further processed, except in the case where such processing occurs in the context of judicial proceedings. The processing and the usability of the related information in the latter hypothesis is regulated by the provisions of civil procedure. The Garante is responsible for enforcing the GDPR and the Privacy Code, but in certain circumstances enforcement is conducted through the courts (eg, under article 79(1) of the GDPR, data subjects have a right to an “effective judicial remedy” where they consider their rights under the GDPR have been infringed as a result of the processing of their personal data in non-compliance with the GDPR).

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Italy

EU General Data Protection Regulation (2016/679)

Lawyers’ Code of Professional Conduct

Bank Consolidated Act

National Lawyers’ Councils guidelines on GDPR

European Banking Authority’s Guidelines on Outsourcing Arrangements

The Garante’s Code of Conduct for Private Investigations

The EU Cloud Code of Conduct

The Garante’s Guidelines on the Processing of Special Category of Data by Private Investigators