The figure of the Data Protection Supervisor has undoubtedly gained in importance in recent months. He can be identified as the supreme judge, the one who supervises the correct application of the privacy legislation – the well-known GDPR – and who takes action in case of non-compliance. On previous occasions when the Garante has been questioned, a somewhat uncertain and/or ambiguous position has emerged regarding its role as a ‘stickler’ in the light of the provisions of the GDPR. However, let us try to understand who we are dealing with by analysing the activities carried out by the Garante in the past year. The following data were provided by the Garante itself through its annual report.
A wide-ranging activity
It should be noted that the role of the Garante involves a very wide range of activities that do not only concern the innovations introduced by the GDPR, but also other issues such as Internet risks and cyberbullying, cyber security, telemarketing, the fight against money laundering, etc. etc. Wild telemarketing has played a major role for some time now, and several measures have been taken against operators offering financial services, energy and telephone contracts.
The numbers of 2017
In 2017, 573 collegial measures were taken and as many as 6,000 complaints and reports were responded to. The sectors concerned were: telephone marketing, consumer credit, video surveillance, public service concessionaires, debt collection, banking and finance, employment insurance, journalism, local authorities, health and social care services. 41 notifications of criminal offences were made to the judicial authorities, in most cases for failure to adopt minimum security and data protection measures and unlawful processing. 507 administrative breaches, mostly concerning the processing of data without consent, the dissemination of data on the Internet by the P.A., telemarketing, as well as failure to provide users with adequate information on the processing of their data, failure to adopt security measures and failure to submit documents to the Garante.
Inspections and penalties
But let’s come to the most interesting numbers, the ones that should give companies pause for thought about where they stand on the GDPR. In 2017, 275 inspections were carried out in a number of sensitive sectors, both in the public and private sector (in the latter, companies operating in the ‘sharing economy’, door-to-door sales companies, companies offering commercial information services or carrying out telemarketing activities located in Albania emerged). This resulted in administrative fines of approximately EUR 3 million 800 thousand, a figure that marks an increase of 15% compared to 2016.
What do we expect for 2018?
Certainly a very different situation is expected for the 2018 report. An increase in both the number of inspections and administrative sanctions is expected for two main reasons: obviously, on the one hand, the Garante must be receptive and active with regard to the new provisions dictated by the GDPR and consequently intensify its controls; on the other hand, the number of reports from private individuals who have become increasingly aware of their rights in recent months is likely to increase.
Sara Avanzi