The insurance sector, among the industries that absolutely collect the most data, will be subject to the requirements of the new regulation on privacy and European data processing. Violations of the rules are punishable by very high fines and in some cases even criminal penalties.
Since 25 May, the date on which the GDPR, General Data Protection Regulation, European regulation on personal data protection No 2016/679 – whose impact we have described in the insurance – is directly applicable in all Member States. From that moment on, all companies that have not complied with the new provisions will face the penalties provided for.
What are these penalties and who is in charge to impose them?
In Italy the relevant authority is the Guarantor of Privacy. A huge job that will be faced by the Guarantor, because it is not a ‘one-off’ control, but a constant check over time. “This control is not limited to a mere verification of the activities, nor is it limited to actions implemented over a defined period of time, operating, the authority, in an uninterrupted and continuous relationship of support, control and exchange of information without interruption” says the lawyer Catia Maietta in this speech on the Digital Agenda, in which she explains the tasks of the Guarantor “The tasks of the authorities, on their own territory, are indicated by art. 57 of the Regulation and provide for extremely ramified and diversified activities that place, in an initial phase, the authority side by side even with the data controller and those responsible. In the event that from this operation and from the exercise of the aforesaid tasks, the need for further investigation emerges, that is, in the event that an operation not in compliance with the Regulation is found, the control authority is granted powers of investigation, corrective, authorization and advisory, as well as the power to impose administrative pecuniary penalties.
The Guarantor may also impose administrative fines of up to 20 million euros in certain cases or, in the case of undertakings, up to 4 % of the total annual worldwide turnover in the preceding business year.
“The intention is, essentially, to make a change and to intervene with authority in the field of the correct use and processing of personal data, given the still blurred contours of the matter and taking into account the fact that, for many, it is still a subject of difficult interpretation, especially with regard to the large capital, in terms of information, present in the processing of personal data. It is certainly an enormous power to have personal data available, especially on a large scale, and this is perceived by the use that has been made in recent years of the same for various purposes, and it is also essential, therefore, that individuals begin to become aware and aware of the value of their data, the use that is and will increasingly be made of them, as well as the power of the amount and quality of information that can be obtained from them”, says the lawyer.
“As regards the quantification of the penalties to be applied in relation to the violations referred to in paragraphs 4, 5 and 6 of the Regulation, they are defined on the basis of the criteria of effectiveness, proportionality and dissuasiveness. This can be seen from the first paragraph of Article 83. If, with the first two characters, we tried to create a close link between the consequences of the violation and the penalty to be applied, in the sense that both effectiveness and proportionality represent a link between the event and the possible measure of the punishment, dissuasiveness was, most probably, the criterion that led the legislator to tighten the entire structure of the penalty to the extent that the application of the penalty must be perceived by the company so heavily as to induce it to no longer operate through certain failures”.
Administrative penalties may be imposed on natural persons, private or public legal entities, specifically on data controllers and controllers, i.e. the DPO – Data Protection Officer or the certification and monitoring bodies of the codes of conduct.
The failure of companies to adapt to the GDPR does not only result in administrative penalties, but also criminal penalties, which the GDPR has however left to an autonomous regulation of each individual state.
Recital 149 of the GDPR text states that “Member States should be able to lay down provisions on criminal penalties for infringements of this Regulation, including infringements of the national provisions adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also authorise the misappropriation of profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for breaches of such national rules and administrative penalties should not be contrary to the principle of ne bis in idem as interpreted by the Court of Justice. (ne bis in idem means that there will be no double criminal and administrative proceedings for the same fact)
In Italy, the Gdpr will supplement (and partially replace) the Privacy Code, which should remain the applicable one for criminal penalties. In fact, the General Accounting Office of the State is still examining the Decree of adaptation to the Gdpr, which must be approved by May 21 by the Council of Ministers, but first must receive the opinion of the parliamentary committees and the Privacy Guarantor.
The Privacy Code establishes criminal penalties for the unlawful processing of data, with penalties ranging from six months to 18 months imprisonment and, under certain conditions, up to three years. There remains also imprisonment from six months to three years for false declaration in front of the Privacy Guarantor.
It is important to remember that criminal liability is always personal, while administrative penalties can be imposed on both the individual and the company.
Who is responsible for the violations?
One of the pillars of the Gdpr is the principle of accountability, which provides for the accountability of the data controller in “implementing appropriate technical and organizational measures to ensure, and be able to show, that the processing is carried out in accordance with the Regulation” (art.24 paragraph 1).
That is to say, the responsibility under Art. 24 of the GDPR is always and only with the data controller.
Who is the data controller?
According to the Gdpr, art. 4, paragraph 1, n. 7), the data controller is “the natural or legal person, public authority, service or other body that, individually or together with others, determines the purposes and means of the processing of personal data. In essence, it is the person or legal entity who decides on the use of personal data.
“From this principle of responsibility of the data controller – says Franco Pizzetti, Professor of Constitutional Law – Faculty of Law, University of Turin – comes the whole system of prescriptions concerning the activities that this must perform from the planning phase of treatments, ranging from privacy by design to privacy by default until the adoption of appropriate measures to ensure the security of treatments. These are decisions that it is up to the holder to take on the basis of the risk assessment that he must carry out in order to define the technical and organisational measures to be taken in view of the risks that the treatment (process) that he wants to put in place can run to the rights and freedoms of natural persons.
The data controller may delegate third parties to manage the data: the data controller (in the Gdpr data processor) is the natural person, legal entity, public administration or body that processes personal data on behalf of the data controller (art. 4, par. 1, no. 8).
A clarifying example is that of web hosting companies that typically physically manage data, but do so in contrast to companies that are the data controllers.
The two figures differ because the data controller retains decision-making power, is the one who decides the reason and methods of treatment, and is legally responsible for compliance with the obligations under the law. Of course, the two figures may also coincide in the same organization.
The data controller shall only be liable for any damage caused by the processing if the data controller fails to comply properly with its obligations under the regulations or if it has acted inconsistently with the instructions of the data controller.
If several data controllers or data controllers are involved in the same processing operation and are liable for the damage caused, they shall be jointly and severally liable for the entire damage in order to ensure full compensation.
The DPO, a new figure introduced by the Gdpr, is not personally responsible for the failure to comply with the obligations regarding the protection of personal data, in fact it is the duty of the data controller (art. 24) to implement appropriate technical and organizational measures. The DPO is only liable for the performance of its obligations to provide advice and assistance to the data controller, who is (possibly jointly and severally with the data processor) the only person responsible for compliance with the regulations. The data controller, therefore, can only make claims based on contractual liability against the DPO.All rights reserved