EDPB opinion on the main establishment
The topic of Opinion 04/2024, issued by the European Data Protection Board (EDPB) on February 13, 2024, is the notion of a data controller’s main establishment in the Union under Article 4(16)(a) of the GDPR. It was the French supervisory authority (CNIL) that requested the opinion from the EDPB; in fact, Article 64(2) of the […]
ENEL Energia and procedural time limits
In a press release dated Feb. 29, 2024, the Italian Data Protection Authority announced the issuance of its own sanction measure of more than 79 million euros against Enel Energia for telemarketing processing violations (web doc no. 9988710). The value of the fine is the highest ever applied so far by the Italian authority. Precedent […]
Legal bases for personnel data processing
In its February 14, 2024 newsletter, the Italian Data Protection Authority informs of the approval of the code of conduct for employment agencies. As specified in the press release, “the code defines good practices for the correct processing of data carried out in the context of personnel intermediation, search and selection activities“. For the first […]
Guidance document on metadata of employees’ emails
* The Authority in a subsequent decision suspended the legal effects of the guidance document and initiated a public consultation to be concluded within 30 days. There has been an uproar over the Italian Data Protection Authority’s guidance document disclosed in the Feb. 6, 2024, newsletter regarding the collection and storage of metadata from corporate […]
Coordinated Enforcement Action
In January 2024, the EDPB published the report on the designation and position of DPOs as a result of the Coordinated Enforcement Action (“CEA”) conducted in 2023, as part of the Coordinated Enforcement Framework (“CEF”) convened in 2022. Previously, the same committee conducted the first CEF on the use of cloud services by public administration […]
Interactions between the Data Act and personal data protection
As is well known, the purpose of the Data Act – specified in Recital (4) thereof – is to “to lay down a harmonised framework specifying who is entitled to use product data or related service data, under which conditions and on what basis.” Recital (5) below indicates how the European legislator intended to achieve […]
Italian Data Protection Authority’s decisions on Local Health Authorities
The January 24, 2024, newsletter of the Italian data protection authority reports the news of three decisions with related fine orders against three Local Health Authorities in the Friuli-Venezia Giulia region. The merits of the disputes are identical and concern a statistical stratification treatment of a set of patients for the identification of indices of […]
Adequacy in the GDPR
The term “adequacy” and other words with the same root are found 113 times in the Italian text of the GDPR. Adequacy is synonymous with “proportionality” i.e., being in proper relation to the element of comparison. Adequacy in the GDPR is not a feature present in the material world but is a circumstance that can […]
GDPR damage compensation
A number of decisions of the EU Court of Justice provide further interpretive clarification on the compensation of damages arising from processing of personal data under Article 82 of the GDPR. Article 82 of the GDPR Article 82(1) of the GDPR reads as follows: «Any person who has suffered material or non-material damage as a […]
Data Act
The Official Journal of the European Union has published the long-awaited data regulation “Data Act”. After the Data Governance Act, the Data Act is the second most significant regulatory intervention of a horizontal nature i.e., applicable to any sector, of the EU Data Strategy promoted by the Commission for 2020/2023. The title of the Data […]
