Already registered? Download PDF LOGIN or SIGN UP
Editor in chief: Angelo Scorza
30/03/18 16:25

New rules for the protection of personal data

Few tips about the new data protection law picked out by PKF Studio TCL – Tax Consulting legal

By enforcing the General Data Protection Regulation – GDPR (Regulation EU 2016/679) – reported here below as  “Regulation or GDPR” - EU Commission re-designed the European data protection regulation.

Primary attempt is to harmonize, as far as possible, data privacy policy regulations across Europe, in all Member States which implemented former Data Protection legislation (dated 1995) by enforcing the related Directive differently. A lack of harmony, hindrances, legal uncertainties and inconsistencies particularly    affected global corporations or individuals making business with foreign countries.

The GDPR – enforceable and binding in all EU Member States – is a mandatory regulation for all groups  processing personal data (even only regarding their own employees), so as to increasingly enhance harmony and clarify the subject.

The Regulation targets strengthening the rights of single individuals while ensuring stricter enforcement of the new clauses aimed to protect personal data, disregarding where they are stored, controlled, processed and shared, often even outside the EU, as it usually occurs when browsing the internet or the related free-of-charge applications.

The GDPR will come into force in all Member States on May 25th, 2018, thus implementing a substantially harmonized legal framework, although also leaving a narrow margin of discretion to single States, which are allowed to lay down few clauses independently. Italy is still waiting for the issuance of these “specifications”, however, being a European directive, the usual Italian 'grace period' is completely ruled out and the majority of clauses included in former Privacy Law, D.L. 196/2003, will be revoked or replaced by the new GDPR. Only those clauses included in former Privacy code which are not  inconsistent with the new Regulation, can still be enforced. 

Regarding compliance, the European directive is in fact focusing on the so called “accountability”, essentially referring to individuals, core element in the new regulation:

  • data Controller will have to constantly control the risk of specific data processing which could breach the right and freedom of interested individuals. In order to avoid any breach mentioned above, companies will be obliged to adopt adequate technical and operational measures, which must be continuously revised and upgraded, if necessary, in order to guarantee that data are processed in compliance with the new Regulation and provide the related evidence;


  • data Processor, is the natural or legal person, public authority, association or other entity processing personal data on behalf of the data Subject  (e.g. the company's labour advisor is responsible for employees data protection);


  • Data protection Officer - DPO, can be an in-house expert or a professional outside the data controller's organisation and will be appointed by public entities  or other organisations handling more risky data. The DPO's name must be notified to the National Supervisory Authority and its appointment will be mandatory for over 250 employees corporations and for companies whose core activities consist of processing personal data on a large scale. The DPO must be empowered with particular power to ensure compliance with GDPR .

Even extra-EU enterprises must comply with the new regulation when providing goods and services to EU citizens.

The new GDPR introduces direct compliance obligations for Data Manager (which include: accountability, maintenance, data protection, data recording within the Data protection Register, DPO appointment, Data protection Impact assessment, breach notification). All these mandatory tasks will have a remarkable impact both on data Controllers and data Processors, being entrusted to evaluate and negotiate the policy in forthcoming agreements while also revising the existing contracts.

The Regulation introduces clearer rules regarding Privacy Notice and Consent, that will no longer be implied, being all companies obliged to fairly process personal data and obliging data Controllers to outline and illustrate, within the company's Privacy policy, the reasons justifying personal data processing and objectives. Furthermore, the GDPR sets out restrictions on automated personal data processing, lays the foundation to exert new rights, introducing the «portability» of personal data from a controller to another. Moreover, by introducing the so called «right to be forgotten», the interested individuals are allowed to have their personal data erased (even online) by the data controller, provided some specific clauses set out in the Regulation have occurred.  Data controllers aren't always obliged to erase personal data of the interested individuals and can reject the request, particularly to exert their freedom of expression and right to information, to fulfil a legal obligation, peruse a public interest, exercise an official authority, for the purposes of scientific/historical research and statistics, for the right to lodge a complaint or exert the right of defence in a legal dispute.

As anticipated, the data Controller must report any breach to the National Supervisory Authority. If the breach is a threat to the right and freedom of individuals, the data controller must inform all interested individuals in a clear, simple and immediate way and give advice on how negative consequences can be prevented.

The Controller and Processor must refund the individual for any (material or non-material) damage  suffered after a breach. The GDRP does not envisage any liability exemption for damage resulting from force majeur.

Administrative sanctions can be very high in case of non compliance with regulations, reaching up to 10 million Euro per individual, or, in case of enterprises, up to 2% of the global annual turnover recorded the previous year (referring to the whole group), if higher, for breach of general obligations envisaged by the Regulation. Administrative sanctions can double, up to 20 million Euro, or in case of enterprises, up to 40% of the global annual turnover recorded the previous year, if higher, for breach of basic data protection  principles , privacy consent clauses, rights of interested individuals, portability of personal data abroad, lack of compliance with an order, temporary or final restriction as laid out by the Supervisory Authority. Any criminal violation shall be ruled by single Member State.

A typical example would be: a company storing personal data in the cloud. The company must be aware of the country where the server collecting the data is based. The lack of documentary evidence results in a violation. The same situation occurs when the server is located in an extra-EU country where domestic regulations do not provide and guarantee the same personal data protection pursuant to GDPR. The data controller must provide evidence that the company is complying with the enforced regulations, or sanctions will be charged. Considering the very close enforcement date, it is particularly urgent to abide by the new Regulation, implying that larger corporations are supported by skilled professionals, legal and IT experts. Entrepreneurs need to assimilate the new measures which are definitely not so easy to be implemented, while also considering the related positive aspects. As a matter of fact, it might be necessary to review corporate procedures, which could be simultaneously implemented and upgraded. We confide the related monitoring actions, particularly on those individuals who started the upgrade, could be might be “worthwhile”.

Happy Easter to all readers


Stefano Quaglia

PKF Studio TCL Tax Consulting Legal – Genova Milano


LEI code: new compliance costs for businesses


The Legal Entity Identifier (LEI) is a unique 20 digit alpha-numeric code based on the ISO 17442 international standard which enables the identification of legal entities participating in financial transactions in the global marketplace and legal systems.

The purpose of the new code is to create a sort of unique database globally to enhance transparency in financial transactions. By adopting this tool all legal entities involved in financial transactions will easily and mutually benefit from all available information within the LEI community. 

In order to implement this system, actually designed and conceived by the G20, the drivers of the initiative determined to make it substantially mandatory empowering financial regulators to act as inspectors. As a matter of fact the system was introduced in the European Union within the Mifid regulation on financial markets. After the enforcement, on January 3rd, 2018, of the new MiFID II directive, recognised by our legal system, all guidelines issued by ESMA  (European Securities and markets authority) have become relevant, fully acknowledged in our Country and essentially forcing  financial regulators to provide reporting on transaction regarding financial instruments, for which the issuance of an LEI results mandatory.

By introducing this “trick” all Legal Entities have essentially been obliged to get their own LEI, and, as usual, this won't be painless.

Infocamere is the leading organization, in Italy, authorized to issue the Global LEI index and each  company can contact them directly or through their tax consulting firm or other agents.  The issuance of an LEI will cost 100 Euro plus VAT (the cost of the service depends on the agent), and that's not all. An annual renewal, sine die, is required, roughly standing at 70 Euro plus VAT.

An LEI is required for unique parties that are legally or financially responsible for the performance of financial transactions, or have the legal right in their jurisdiction to enter independently into legal contracts. De facto it excludes natural persons, but includes all businesses and individuals registered in the Business Register (including one-man companies), but also Trusts, partnerships, associations, etc. based in Italy and listed in the Official Register (e.g. Tax Registry), besides governmental organizations and supranationals. An LEI is required for all entities operating as financial instruments and without this index operations could be frozen.

We advise all financial operators, in case they haven't already acted accordingly, to check with their Bank or financial adviser whether they are required to have an LEI index. The obligation depends on the typology of operations. The subject will be regulated by financial regulators, empowered to issue the required reporting and notify single financial transactions to the authority in compliance with regulations.

Massimiliano Albertini

PKF - Studio TCL Tax Consulting Legal

Genova  –  Milano

TAG : Tax corner