privacy

LGV WILL ATTEND A MEETING AT THE CONSULATE OF SOUTH KOREA

12/05/2017

Founding partner Luigi Goglia and senior associates Ju Yeon Park and Alessandro Sassone, representing LGV, will attend the conference organized by the consulate of the Republic of Korea in Milan on May 16, 2017 in the presence of the new Korean Ambassador and the Korean business representatives present in the territory.

 

The meeting is but one moment in the decade long process of cooperation between LGV and South Korea; this relationship has formed due to the activity of the senior associate Ms. Ju Yeon Park.

Mr. Goglia will have the honor to open the meeting by introducing the topics of the morning; to follow the speakers will alternate on the stage to talk about the most current legal issues; in particular Ms. Ju Yeon Park will discuss privacy and new obligations arising from the implementation of the Community regulation, while Alessandro Sassone will discuss international contracts.


THE EUROPEAN COMMISSION PRESENTS THE EU REGULATION PROPOSAL ON THE SO CALLED “E-PRIVACY”.

28/03/2017

On January 10, 2017, the European Commission sent to the EU Parliament the proposal for the EU Regulation concerning the protection of personal data in electronic communications. Such proposal, which is part of the “Strategy for a Unified Digital Market” recently promoted by the EU institutions in order to enhance the public confidence in digital services and in their safety, constitutes a lex specialis of the new EU Regulation no. 679/2016 on privacy and will complete the rules concerning the protection of the information included in electronic communications and having the character of “personal data”. If approved, the new regulation will repeal the EU Directive 2002/58/CE concerning the processing of personal data and the protection of privacy in the sector of electronic communications.


 

The aim of the Regulation is to adapt the current European legal framework to the latest developments in the field of electronic communications, especially after the spread in the market of new models of communication and messaging, so-called “Over the top”, such as Facebook, Skype and WhatsApp.

The main innovations contained in the regulation proposal are: i) the provision of stricter rules for the processing, by electronic communication providers, of the data contained in electronic communications: the provider will in fact be obliged to remove or otherwise anonymize such data once the recipient of the communication has received its content (art. 7); ii) the simplification of the rules on “cookies”: the user’s consent won’t in fact be necessary anymore for the saving, among others, of cookies necessary to measure the number of website visitors or of cookies that are required to guarantee the website’s functionality in favour of the user (eg. storage of items in a shopping cart of an e-commerce website) (art. 8); iii) the provision of stronger guarantees for the users of so-called interpersonal communication services based on a number (eg. mobile telephony services): the providers of such services will be required to make available to the user services that enable the generalized block of anonymous calls or of calls coming from specific numbers (art. 12 and 14).

According to the legislative procedure for the approval of EU regulations, this proposal of regulation, in order to acquire force of law and to become directly applicable in all Member States, must now be approved by both the European Parliament and the EU Council. The aim is to let the Regulation enter into force on 25 May 2018, together with EU Regulation on privacy.


PRIVACY – ON OCTOBER 1, 2016, THE NEW CODE OF CONDUCT FOR THE PROCESSING OF PERSONAL DATA CARRIED OUT FOR COMMERCIAL INFORMATION PURPOSES WILL ENTER INTO FORCE

06/09/2016

From October 1, 2016, the measures called for by the “Code of conduct for the use of personal data carried out for commercial information purposes” will be applicable. The Code of Conduct (available in full at the following link: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4298343) has been promoted by the Italian Data Protection Authority and prepared in cooperation with various associations concerned to the field. 

The new Code is directed to companies that provide information on the commercial reliability of entrepreneurs and managers, and aims at regulating the activities of those entities through a balance between their freedom of economic initiative, on one hand, and the security, individual freedom and dignity of the people whose data are processed, on the other hand. In fact, the data collected and processed by those companies are particularly sensitive, as they refer to the economic and financial position of entrepreneurs. It follows that the incorrect use of databases and invasive analysis tools can cause serious damages to the dignity and privacy of all the people involved.


 

Here are the most significant rules introduced by the Data Protection Authority in the Code of Conduct:

  • Scope: the new Code of Conduct will only apply to commercial information relating to individuals. The Code, in fact, takes over the definition of “personal data” provided for by Article. 4 of the Legislative Decree 196/2003 (“Privacy Code”), which refers to “any information concerning a natural person, identified or identifiable“. It follows that all the commercial information that do not make reference to individuals are freely usable (point 3 of Preamble);
  • Data traceability: in order to create a business information dossier on a manager or an entrepreneur, only the personal data referring to that person – or to people or entities that have or have had legal and/or economical connections with it – can be used (the mentioned connection exists, for instance, when the data subject owns a company through a direct or indirect control of shares) ( 2, par. 3 and 4);
  • Usable data and consent: only the following data can be used: i) data coming from public sources, cognizable by anyone (and thus the information contained in the companies’ register and within balance sheets, real estate deeds, detrimental acts); ii) data extracted from publicly available sources and generally accessible by anyone (such as newspapers, telephone directories, government or control and surveillance agencies’ websites); iii) personal data that the data subject freely decided to communicate to the commercial information provider ( 3, par. 1 and 2). In the cases refered to in points i) and ii) the data may be processed without the consent of the data subject (art. 5);
  • Data processing arrangements: when they collect and keep personal data, the commercial information providers are required to: i) ensure that the acquired information are correct and pertaining to the pursued purpose; ii) take note of the source of the data; iii) keep the data up-to-date ( 3, par. 4);
  • Information to data subjects: for the processing of the above mentioned data the commercial information providers give to the data subject a non-individual information which is released in accordance with simplified modalities compared to than the ordinary ones provided for by art. 13 of Privacy Code. In particular, the information must be released within a portal specifically created by the commercial information providers, in case they have an annual turnover of more than € 300,000.00; within the website of the single commercial information provider, in case its annual turnover is lower than the above mentioned amount ( 4);
  • Time-limits for use and keeping of data: the personal data collected for commercial information purposes may only be kept until they remain knowable and/or published in the public sources where they come from ( 8). As far as concerns detrimental information (such as bankruptcies, insolvency proceedings, mortgages, etc.), Art. 7, par. 4, introduces stricter deadlines (for instance, the information relating to insolvency proceedings normally cannot be used for more than 10 years from the date of opening of the insolvency proceedings itself);
  • Security: all commercial information providers are required to implement appropriate measures in order to ensure the security, integrity and confidentiality of the collected and processed information ( 10);

Entry into force: the new Code of Conduct shall enter into force on October 1, 2016. Therefore, from said date, any processing of personal data with commercial information purposes shall be considered as illicit if it is not compliant to the Code.