Regulation EU 2016/679, new rules for the protection of personal data.

Regulation EU 2016/679, which entered into force on last May 24th, known as the regulation on Protection of Personal Data, is intended to replace the obsolete Directive 95/46/CE within two years; it represents not only a significant upgrade in terms of protection and processing of personal data, but it allows to finally put an end to the clear disharmonies that in this matter were gradually recorded between the system of different Member States, producing a uniform discipline at Community level.

This Regulation, which takes into account the information contained in the Treaty of Lisbon – which extends the right to privacy from the mere freedom of movement of persons to all  matters related to foreign policy and public security -, aims to regulate aspects inextricably linked to technological development occurred in recent years, most notably issues relating to the right to be forgotten, the right to data portability and the right to be informed in the event of a data breach.

First of all, it should be noted how all the news contained in the new European Regulation can be brought within the right to personal data protection, already widely recognized by the previsions of Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) TFEU (“everyone has the right to protection of personal data”), and also recalled in Recital n. 1 of the new wording: “the protection of natural persons in relation to the processing of personal data is a fundamental right”.

The wording of the two previous Acts identifies both the right of the individual to be informed about the use made of his/her personal information, and a power of control on this use. In fact, considering data as a representation - if not even as a real projection - of the subject into the civil and social context, his/her interest to have such projection correctly managed and, above all, within the limits set by the latter, cannot be denied.

A more streamlined and immediate access to personal data for the data subject is a corollary of these considerations, in order to allow him/her, also in the perspective of a possible correction or erasure, a complete view of the processing and its purposes.

In this framework it emerges the particular informative right, known as right of access by the data subject.

Despite Recital n. 63 provides for the data subject the possibility to exercise this right only “at reasonable intervals", in order to prevent it from becoming a way to avoid processing through constant requests, Recital n. 68 also provides that “where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller”.

That’s why controllers are required to develop interoperating systems, also relating to data portability, which is the right of the subject, established by Article 20 of the Regulation, to transmit personal data concerning him/her to another controller: this only in cases where the processing, carried out by automated means, is based on prior consent or on a contract.

Similarly, Article 15 of the Regulation disciplines in detail the right of access, giving the data subject right to obtain from the controller confirmation as to whether or not his/her personal data are being processed, and, when that is the case, allowing access to the personal data and some information listed in the same Article.

However, the innovation of the Regulation is not limited to regulating the right of access or to the prevision of data portability; in fact, the strength of the current legislation also resides in a new range of devices rights, previously not, or more superficially, disciplined.

For example, Article 16 expands the right to rectification, introducing the possibility for the data subject to have incomplete personal data completed, given the purposes of the processing, by means of a supplementary statement.

Moreover, a great interest is raised by the prediction, as part of the right to erasure, of the different right to be forgotten, i.e. the opportunity for a person to be, literally, forgotten by databases, media, and search engines owning his/her data.

This right, originated exclusively by jurisprudence, is a most mature achievement of our days, when rampant technological development diametrically reversed the people’s need to be connected with the rest of the world, turning it into an opposite desire of being forgotten and isolated.

The European Parliament made a decisive breakthrough by enshrining the right of the data subject to see deleted “without undue delay” by the controller all those data “no longer necessary in relation to the purposes for which they were collected” and those unlawfully processed, in case of, alternately, request, withdrawal of consent, objection to the processing or legal obligation. This is a sign of a new sensitivity to today’s social context, witnessing a growing attention to the matter.

However, the exercise of this right is not completely unconditional: on the contrary, Art. 17(3) of the new Regulation, in the perspective of a reasonable balance of rights, enucleates a series of cases in which the right to be forgotten gives way to some principles equally worthy of protection. For example, that is the case when processing is necessary for exercising the right of freedom of expression and information (in this hypothesis a balance with the opposite right and duty to inform is necessary), or when data are processed in compliance with a legal obligation.

Among the most important new features, the introduction of the post of Data Protection Officer, or DPO, that is the person responsible for data protection.

The tasks assigned to the DPO, who must necessarily be appointed in public companies and in those where the processing presents some risks, include: to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the new Regulation; to monitor compliance with Regulations, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations; to provide advice, where requested, regarding the data protection impact assessment and monitor its performance; to be the contact person for the supervisory authority on issues relating to processing, and to cooperate with the supervisory authority.

On the grounds of significant innovations, briefly examined above, made by the new Regulation on Protection of Personal Data, it is clear how the gap between its adoption and effective enforcement aims at giving more time to adapt to the new regulatory framework.

Moreover, the prevision of such transition period has been welcomed by the doctrine, which advocates, during these two years, a clarification with respect to the relationship between the Regulation itself and the national personal data protection laws, with particular reference to that cases in which national laws contain provisions not in direct and stark contrast with those regulations: in fact, beyond the obvious application of the Regulation pursuant to Art. 11 of the Italian Constitution, it is not possible to predict what problems the judges will actually have to solve. Therefore, they are expected to carry out a delicate, and probably not univocal, interpretive activity.