Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

The recent provisions of the Italian legislator on data protection


The Italian Legislator recently adopted two new laws on data protection matter, Law. n. 167/2017 and Law n. 205/2017, with the aim of coordinating current Italian regulation on privacy matter with the GDPR. These first provisions, which the doctrine considers to be unclear, are expected to be shortly integrated by the Italian privacy harmonization law.

With Law n. 167/2017 and Law n. 205/2017 the Italian Legislator emitted new rules on data protection matter, taking into consideration the provisions of GDPR.

In particular, Law n. 167/2017 introduced a partial review of the role of data processor pursuant to art. 29 of the Italian Privacy Code, by adding a new Paragraph 4-bis and by replacing Paragraph 5, which regulate the data processor's appointment procedures and requirements. On the basis of such reviews, the new Article 29 of the Italian Privacy Code establishes that "data controllers shall conclude written legal acts with the processors, specifying the finality pursued, the typology of data, the duration of processing, the obligations and rights of the data controller, as well as the methods of processing" and that "these acts are adopted in compliance with the standard models prepared by the Italian Data Protection Authority". Data processors shall also follow the data controller's instructions, which may carry out periodic audits. 

By this law, moreover, the Italian Lawmaker added the new Article 110-bis on the re-use of data for scientific research or statistical purposes, with the exception of genetic data, asking for the previous authorization of the Italian Data Protection Authority.

Law n. 205/2017, instead, establishes that the data controller, before carrying out a processing based on the legitimate interest which involves new technologies or automated tools, must promptly notify the Italian Data Protection Authority, by using a template that must be prepared by the said Authority within two months from the entry into force of the Law - and which has not yet been arranged -. Once 15 working days have elapsed from the sending of the information, in the absence of a reply from the Italian Data Protection Authority, the data controller may proceed to the processing; otherwise, if such Authority believes that the processing is likely to result in a high risk to the rights and freedoms of the subject concerned, he orders the prohibition to use the data. Such provision, indeed, would appear, according to the first observations in doctrine, in possible breach of the GDPR, which has actually removed the obligation to notify the supervisor authorities.

Despite the high expectations, such amendments have been felt by the majority of the scholars as unclear and ambiguous, since they did not provide the required clarifications, nor they treat the privacy matter in an organic manner. As a matter of fact, current Italian legal framework on data protection is extremely confusing.

Nonetheless, we acknowledge that the Committee, in force of the Law 163/2017 under which the Italian Lawmaker delegated the Government to harmonize the local laws to the GDPR, should shortly issue a much more comprehensive measure, with the view to wholly coordinating the national provisions with the European ones. We are confident that, on that occasion, the Italian Legislator will better define those issues and provide the necessary explanations with regard to the Laws 167/2017 and 205/2017.


Article provided by Avv. Chiara Rossana Agostini / R&P Legal Law Firm / Italy


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Data Privacy Compliance (DPC)/Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.