Although the General Data Protection Regulation ("GDPR") entered into force on May 25, 2018 ("GDPR Day"), many EU member states were late in taking steps to adopt domestic provisions in those areas where GDPR allowed them to do so. GDPR is leaving some room to member states in order to adjust the regulation to their legal system. The list of possible deviations is broad, ranging from restrictions and limitations to the processing of biometric, genetic and health data to the appointment of data protection officers.

In Italy, national measures were made through Legislative Decree No. 101/2018 (the "Decree"). The Decree was adopted on August 10, 2018, and entered into force on September 19, 2018, just one day after the start of the Milan Fashion Week.

We briefly touch some of the provisions of the Decree to figure out what would the Italian GDPR style may look like:

  • Minor consent: The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent.
  • Processing of biometric, genetic and health data: The Decree provides that specific conditions for the lawful processing of genetic data, biometric data or data concerning health will be adopted. The Italian Supervisory Authority is tasked with such adoption, at least every two years. Until then, the previously issued measures continue to apply (insofar as they are compatible with GDPR).
  • Limitation to data subject rights: Existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.
  • More sub-regulation(s) to come: In an number of areas—such as data processing for journalistic, academic or artistic purposes; processing within the framework of employment; and accessing public documents—sector sub-regulations will be adopted by the Italian Supervisory Authority. Prior to their adoption, they will be subject to public consultation.

As one can see, the Italian Supervisory Authority is still cutting the pattern for the Italian version of GDPR When the Italian collection hits the catwalk, one will be able to assess whether the Italian domestic framework will be a style worth stealing.

Elegance is not standing out, but being remembered (G. Armani).