The GDPR Compliance Decree

The long-awaited legislative decree aligning national legislation with the General Data Protection Regulation (GDPR) has finally been published.

Legislative Decree No. 101 of August 10, 2018—enacted to implement Article 13 of the 2016–2017 European Delegation Law (Law No. 163 of October 25, 2017)—is intended to bring the Privacy Code into line with European legislation, which became fully effective on May 25 of this year.

The Privacy Code is not being completely repealed (as suggested in an earlier draft of the decree) but remains in effect, with amendments aimed at bringing it into line with the principles set forth in the General Data Protection Regulation, foremost among them the principle of accountability.

The measure provides that the Data Protection Authority shall establish simplified procedures for micro, small, and medium-sized enterprises to comply with their obligations as data controllers.

The measures issued by the Data Protection Authority remain in effect, as they are consistent with the GDPR and with the decree itself.

For the first eight months following the effective date of the decree, the Data Protection Authority must take into account, for the purposes of imposing administrative sanctions and to the extent that this is compatible with the provisions of the GDPR, the initial implementation phase of the sanctioning provisions.