The Data Protection Authority (the “Authority”) has the power to investigate complaints and cases and to order the suspension of data processing (including transfer of data), as well as the destruction of data and other similar actions; these orders can be appealed to the courts. The Authority can also impose administrative sanctions ranging between €3,000 and €300,000 depending on the type of data and violation involved. In particularly significant cases, e.g. when many data subjects are involved, the relevant amounts may be doubled. Some amounts may be quadrupled if the amount of the applicable sanction is deemed to be insufficient for the violator because of its economic position. Finally, the Authority may impose the publication of its decision in one or more daily newspapers, at violator’s cost and may also impose the block of the infringing database.
Individuals can file complaints with the Authority, and can seek compensation for monetary and also moral damages suffered as a consequence of violations of the privacy law.
Imprisonment ranging between 3 months and 3 years depending on the type of violation. Note that criminal sanctions also apply in the case of unlawful data processing in relation to unsolicited marketing communications. Imprisonment up to 2 years or (in case of subsequent compliance) fines equal to one/fourth of the maximum of the relevant administrative sanction for failure to adopt security measures. The criminal decision will also be published in one or more daily newspapers, at the violator’s cost.
Individuals within a data controller may be held jointly and severally liable for violations of the law, depending on the internal distribution of privacy tasks.
Selected Enforcement Actions/ General Comments
The Authority is fairly active in carrying out investigations and on-site audits. These may be initiated at the discretion of the Authority or triggered by complaints filed with the Authority by data subjects or interested third parties alleging a breach of privacy law. On-site audits may be performed either at the legal offices or the business place of a company. For the year 2014, the annual report of the Authority states that fines have been issued for a total amount of almost EUR 5 million, that almost 400 inspections have been carried out and replies of the Authority to claims have been almost 5.000. The breaches sanctioned more often have been:
- failure to provide appropriate information to the data subjects;
- breach of data security requirements and unlawful data processing;
- breaches of orders and provisions of the Authority;
- failure to disclose data breaches; and
- failure to comply with opt-out obligations in relation to marketing activities.The annual report of the Authority is available in Italian on the Authority’s website, at: www.garanteprivacy.it
In addition, it should be mentioned the fact that the Authority is fairly active in taking part to international activities and joint initiatives organized with other European data protection authorities and also international authorities