The Italian Data Protection Authority (DPA) has defined the boundaries of the inspection activity planned for the first six months of 2021. These will include n. 50 inspections to be conducted also by the Italian Finance Police (under delegation by the DPA) and will focus on the verification of compliance with the applicable privacy laws relating to the following matters of general interest:
-
processing of biometric data for facial recognition also through video surveillance systems;
-
processing of personal data in the context of the so-called “domestic video surveillance” sector and in the sector of audio/video systems applied to games (so-called connected toys);
-
processing of personal data carried out by “data brokers”;
-
processing of personal data carried out by companies operating in the “Food Delivery” sector;
-
data breach.
From this list two big developments emerge: in particular, this year the Italian DPA will extend its inspections also to the processing of biometric data, as well as to the processing carried out through video surveillance systems. These are two areas governed not only by the GDPR and the Privacy Code but also by various guidelines and other legal provisions, as well as by extensive case law.
Let us mention, just for example, the Guidelines of the Italian DPA on biometric recognition and graphometric signature of 2014, the renewed Article 4 of Law no. 300/1970 and Administrative Memo no. 5/2018 issued by the National Labour Inspectorate, the decision of the Italian DPA on video surveillance of 2010 and the recent FAQ on video surveillance of 5 December 2020, the national and EU case law concerning the monitoring of workers and the so-called “defensive controls”, Opinion no. 2/2017 of the former Working Party art. 29 (“Opinion 2/2017 on data processing at work”) as well as Guidelines no. 3/2019 of the European Data Protection Board (EDPB) on processing of personal data through video devices.
The above considerations lead us to think about the correct and complex task of identifying the privacy requirements to be met by data controllers and processors – i.e. the economic operators; indeed, especially before embarking on an activity involving the processing of biometric data or the use of video surveillance systems, it is necessary to clarify the particular circumstances of the case at issue (identifying the purposes of the processing, the security measures to be adopted, the possible involvement of any third-party providers, etc.) in order to correctly prepare the privacy documents required by the many applicable regulations (possibly with the help of specialized professionals).
Therefore, it will be interesting to analyse the results of the inspection activity of the Italian DPA to understand what will be – three years after the enactment of the GDPR – the level of compliance that the Authority will consider “acceptable” and what is the real level of compliance reached by the companies operating in our country who process special categories of personal data and use video surveillance systems.
Of course, the privacy obligations relating to the processing of biometric data or through video surveillance systems are on top of those generally required for the processing of personal data; consequently, in order to achieve full compliance with the privacy regulations in force, it is necessary not only to regulate particular areas of business activity (such as, for example, video surveillance or biometrics) but also to adopt (or rather, already have adopted) a solid internal privacy structure which – in case of inspections – can prove to the authorities that the processing of personal data carried out fully complies with the relevant legal provisions.
With particular reference to video surveillance, we would like to remind you that our Firm has developed and published on its website the quick and useful Guidelines for the installation of video surveillance systems, updated with the latest Italian and European regulations. You can consult the Guidelines here.