Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

GDPR: The Italian Data Protection Authority Issues its First Guidelines


By a press release dated April 28th, 2017, the Italian Data Protection Authority (“DPA”) issued its first guidelines (“Guidelines”) on the General Data Protection Regulation (“GDPR”), which constitutes an important and helpful instrument for those interested in making sure their data processing is compliant with the new EU Regulation ahead of its implementation date (May 25th, 2018).

The Guidelines, that are promised to be amended and/or integrated by the Italian DPA in light of future European and Italian developments as to the interpretation of the GDPR provisions, offer a general overview of the major issues that every company and/or public body should consider in view of May 25th, 2018.

The Guidelines are divided into six different sections (Lawfulness of data processing; Information to be provided on where personal data are collected; Data subjects’ rights; Data Controller, data processor and persons authorized to process personal data under the direct authority of the controller or processor; Data processing risk approach and accountability measures; International data transfers). On one hand, they explain some clarifications with regard to the main data processing aspects introduced by the new European law; on the other hand, they provide for important practical recommendations which are useful to implement the GDPR provisions.

In particular, through its Guidelines the DPA highlights the differences between the GDPR discipline and Italian Law No. 196/2003 ( “Privacy Code”) - i.e. the law that the Italian legislator has adopted in order to comply with Directive No. 95/46/EC – and encompasses for instance the following topics: the new contents of the information notice to be provided to the data subjects (the data protection officer’s contacts, the retention period, the legitimate interest of the data controller - if the data processing is based on it - and the right to claim or defend privacy rights in front of a supervisory authority); the data portability right, the right to be forgotten and the right to restriction of processing; the joint controller institution and the possibility for a data processor to appoint a sub-processor directly.

Moreover, the DPA focuses its attention on the new “accountability approach” on which the GDPR is based, by means of reminding the introduction of the principles named “privacy by design” and “privacy by default”, as well as the new data protection impact assessment (“DPIA”) and also by recommending to every data controller or processor to adopt a proactive approach to their data processing with the aim of taking preventive security measures. To such extent, the DPA also refers to the abolition of some rules provided by the Privacy Code (such as the prior notification and its prior checking).

It should be noted that in Italy no legislative process has yet been launched for making the Privacy Code compliant with the GDPR. The Privacy Code, therefore, as well as any DPA’s statements issued since 1996, shall remain in force until its provisions will not infringe the GDPR’s ones or until they will be declared not compliant with the GDPR.

Related links:


Article provided by Avv. Chiara Rossana Agostini / R&P Legal Law Firm / Italy


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.