Law Decree no. 23 of April 8, 2020, which entered into force as of today, in addition to extending the suspension of civil proceedings until May 11, 2020 (Article 36) and postponing the entering into force of the Italian Code of Business Crisis to September 21, 2021 (Article 5)
Yesterday, April 6 2020, the Council of Minister passed a Law Decree concerning “Urgent measures with regard to access to credit, postponement of obligations on companies, granting of special powers in the sectors of strategic importance and justice”. Urgent measures
Il D.L., 8 aprile 2020, n. 23, ed entrato in vigore in data odierna, oltre ad avere previsto la proroga della sospensione dei termini processuali civili fino all’11 maggio 2020 (art. 36) ed il differimento dell’entrate in vigore del codice della crisi d’impresa al 21 settembre 2021 (art.5).
Il Consiglio dei ministri di ieri, 6 aprile 2020, ha approvato un decreto legge avente ad oggetto “Misure urgenti in materia di accesso al credito e rinvio di adempimenti per le imprese, nonché di poteri speciali nei settori di rilevanza strategica e di giustizia”. Misure urgenti in materia di accesso al credito e rinvio di adempimenti per le imprese
The European Data Protection Board (EDPB) at the end of its ninth plenary session held on April 9 and 10th, 2019, released draft guidelines on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects (Guidelines 2/2019 on “the processing of personal data under Article 6 (1) (b) GDPR in the context of the provision of online services to data subjects”). The guidelines highlight the narrow scope of the contractual necessity legal basis. In particular the guidelines concern with the applicability of Article 6 (1)b) GDPR to processing of personal data in the context of contracts for online services. The scope of the guidelines is to outline the elements of lawful processing under Article 6 (1)(b), but particularly to clarify the concept of “necessity” since Article 6(1)(b) GDPR provides a lawful basis for processing where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. Article 6(1) (b) GDPR applies where either of two conditions are met: the processing is objectively necessary for the performance of a contract with a data subject, or the processing is objectively necessary in order to take pre-contractual steps at the request of a data subject. The EDPB specifies, “assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’”. Therefore, Article 6(1) (b) GDPR will not be an appropriate legal basis for processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the data controller’s other business purposes. With respect to the first of the two alternative abovementioned conditions, the processing is necessary for performance of a contract with the data subject, the EDPB underlines that a data controller can rely on the legal basis of Article 6 (1)(b) GDPR only if he can establish that the processing takes place in the context of a valid contract with the data subject and overall that processing is necessary in order for the specific contract with the data subject to be performed. Where a data controller cannot demonstrate such necessity, he needs to consider another legal basis for processing personal data. As clearly pointed out in the EDBP guidelines, merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b). In order to establish that the processing is based on the performance of a contract with the data subject, it is essential to assess what is objectively necessary to perform the contract. For applicability of Article 6(1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of the contractual service to the data subject. The data controller should be able to demonstrate how the main object of the specific contract with the data subject cannot be performed if the specific processing of the personal data does not occur. The provision that the processing is necessary in order to take pre-contractual steps at the request of a data subject is the second conditions for applicability of Article 6 (1)(b) GDPR as legal basis for the processing of personal data. Referring to this condition, the EDBP explains that it is a provision which reflects the possibility, in some cases, for preliminary processing of personal data to be necessary before entering into a contract in order to facilitate the actual entering into a contract, but it stresses that in any case, this provision would not cover unsolicited marketing or other processing which are carried out solely on the initiative of the data controller, or at the request of a third party. At the end of these guidelines, the EDPB deals with the applicability of Article 6 (1)(b) GDPR in some specific situations, namely: (i) processing for service improvement, (ii) processing for fraud prevention, (iii) processing for online behavioural advertising and (iv) processing for personalization of content. According to EDPB, processing for service improvement is unlikely to satisfy the “necessity threshold”. In most cases, the collection of information on how users engage with the service cannot be considered as necessary for the provision of the service because the service can be delivered without the processing of such personal data. Similarly, processing for fraud prevention will also be unnecessary, but could be carried out under another basis in Article 6 GDPR, such as legal obligation or legitimate interest. The Board considers that behavioural advertising does not constitute a necessary element of online services. The EDPB points out it would be hard to argue that the contract had not been performed because there were no behavioural ads, bearing in mind, in particular, that data subjects have the right under Article 21 GDPR to object to processing of their data for direct marketing purposes. Further to this, the Board stresses that “Article 6(1) (b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, it is separate from the objective purpose of the contract between the user and the service provider, and therefore not necessary for the performance of the contract at issue.” Referring to processing for personalization of content, the EDPB acknowledges that personalization of content may, but does not always, be an essential element of certain online services and therefore considered as necessary for the performance of a contract. However, the Board highlights that whether such processing can be regarded as an intrinsic aspect of an online service depends on many factors such as the…
The Consultative Committee on Convention 108, chaired since 2016 by the Italian Garante della Protezione dei dati personali, released the guidelines on artificial intelligence and data protection. The Council of Europe established the Convention 108 (Convention for the Protocol of Individuals with regard to Automatic Processing of Personal Data) in 1981, and the Committee worked at updating the provisions of the Convention to a more technological world and in particular focusing on Artificial Intelligence (“AI”). The set of Guidelines cover (i) general principles, (ii) guidelines to AI developers, manufacturers, and service providers and (iii) legislators and policy makers.
La Corte di Giustizia UE con la sentenza del 12 giugno scorso (causa C-163/16) ha dato ragione allo stilista francese, Christian Louboutin che aveva chiesto di proteggere il proprio marchio e il caratteristico colore rosso delle suole delle sue scarpe, contro la catena olandese Van Haren, che vendeva scarpe col tacco alto dalla suola rossa.
Il Regolamento UE 2016/679 (General Data Protection Regulation o GDPR) si propone di armonizzare le previsioni in materia di privacy a livello europeo, abrogando la direttiva 95/46/CEE, recepita nel nostro ordinamento dal d.lgs. 196/2003 (Codice della Privacy). Il Regolamento, che è immediatamente applicabile in ogni Stato dell’Unione Europea, apporta grandi novità sul piano della tutela dei diritti della persona, tutela che viene largamente ampliata in ragione del valore economico che attualmente questi dati hanno assunto. Ciò che cambia per le imprese è che, se da un lato, il Regolamento prevede strumenti per responsabilizzare maggiormente i titolari del trattamento, dall’altro, stabilisce significative semplificazioni.