eLearning courses Privacy

Our eLearning courses on Privacy aimed at all those who, during the course of their work, find themselves using personal data, or those responsible for data processing (Law 196 of 2003 - Consolidated text on privacy).


Corsi online per addetti al trattamento dei dati

Privacy GDPR - Tutela dei dati personali - 3 ore

40,00 €

Corsi per addetti al trattamento dei dati

Privacy GDPR - Tutela dei dati personali - 1 ora

20,00 €

What is privacy?

The term privacy (rendered in Italian also with confidentiality or privacy) indicates the right to privacy of a person's private life. The right to privacy is therefore also understood as the right to receive a legitimate treatment of all those data that are suitable for providing information relating to one's person. Personal data, in fact, may be suitable to reveal even particularly delicate aspects of each person. For this reason, the law ensures that personal data are processed in a manner that protects the privacy of the subject, trying to prevent unlawful behavior to the detriment of the owner.

What is the processing of personal data?

By processing of personal data according to Italian law, we mean any operation or set of operations, carried out even without the aid of electronic means, concerning the collection, registration, organization, storage, consultation, 'processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, deletion and destruction of data, even if not recorded in a database.

What is the GDPR?

The General Data Protection Regulation (in English General Data ProtectionRegulation also with the English abbreviation GDPR), is a regulation of the European Union concerning the processing of personal data and privacy, adopted on 27 April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May of the same year and operational from 25 May 2018.

With this regulation, the European Commission aims to strengthen the protection of personal data of EU citizens and EU residents, both within and outside the EU. external to the borders of the European Union (EU), giving back to citizens the control of their personal data, simplifying the regulatory context concerning international affairs, unifying and making homogeneous the privacy legislation within the EU.

The text also addresses the issue of exporting personal data outside the EU and obliges all data processing owners (including those with registered offices outside the European Union) who deal with data of residents in the European Union to observe and fulfill the obligations. From its entry into force, the GDPR has replaced the contents of the data protection directive (Directive 95/46 / EC) and, in Italy, has repealed the articles of the code for the protection of personal data (legislative decree n. 196/2003) incompatible with it.

What is the purpose of the privacy law?

The purpose of the privacy law is to protect the privacy of the person by protecting their data. The legislator has laid down rules that all those who process personal data of other subjects are required to comply with specific methods of processing personal data, that is measures and measures, which must be adopted by those who hold data of other subjects.

Who guarantees the security of the data and their processing?

The security of the data collected is guaranteed by the data processor and by the data controller called to implement appropriate technical and organizational measures to guarantee a level of security adequate to the risk. To this end, the data controller and data processor ensure that anyone accessing the data collected does so in compliance with the powers conferred by them and after having been specifically instructed.

What is personal information?

Personal data is any information concerning an identified or identifiable natural person. In other words, any information that clearly concerns a particular person. Personal data is divided into four categories:

  • sensitive data: those suitable to reveal "racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in parties, trade unions, associations or organizations of a religious, philosophical, political or union nature, as well as personal data that can reveal a person's state of health and sexual life; data relating to health and sexual life are also called "supersensitive" as they are the only ones for which there is no exemption allowing their use in the absence of a consent;
  • semi-sensitive data: category not well defined, which includes personal data whose processing may cause damage to the owner, such as data relating to the lists of suspected frauds, the names entered in the centralized risks, financial situation data;
  • common data: are all that information, such as name, surname, VAT number, fiscal code, address (including e-mail address), telephone numbers, driving license number, which allow you to identify a natural or legal person, whether it is also an entity or association;
  • judicial data: these are the information that can be used to disclose judicial records, the registry of administrative sanctions due to crimes or pending charges.

Who are the subjects involved in data processing?

In the context of data processing, four subjects are identified:

  • owner, the natural, legal person, entity, association or administration, which is responsible for making decisions regarding the purposes and methods of processing personal data and the tools used. It is the one who initiates the treatment, and there can also be more than one holder. In particular, it is obliged to notify the authority responsible for privacy (an obligation which exists only in cases where the processing is able to prejudice the rights and freedoms of the data subject), thus allowing a control over the processing , and the obligation to inform the data subject (the information is always due even when the data subject's consent is not required, or when the data subject is obliged to necessarily provide his data on the basis of a legal obligation); the owner must also prepare the security measures to avoid a loss or destruction of the data, but also to avoid the theft of the same, in case the interested party suffers damage the owner is civilly liable; the holder is obliged to follow the processing phases, and cannot lose interest in delegating it in its entirety;
  • responsible, the natural, legal person, entity, association or administration in charge of processing the data from the data controller, who also sets the limits of his powers. The appointment is optional;
  • appointee, the natural person authorized by the owner or the person responsible to perform the treatment materially;
  • interested, the natural person to whom the data refers.

What is the right to protection of personal data?

The right to the protection of personal data is a fundamental right of the individual that allows him the right to access his data managed by third parties; the right to rectification, cancellation, limitation of processing, portability of personal data; the right of opposition.

What is the right to access your data?

The interested party has the right to ask the data controller (public entity, company, association, party, natural person, etc.) whether or not a processing of personal data concerning him is being carried out and, if the processing is confirmed:

  • to obtain a copy of such data;
  • to be informed about:
    • a) the purposes of the processing;
    • b) the categories of personal data processed;
    • c) the recipients of the data;
    • d) the retention period of personal data;
    • e) what is the origin of the personal data processed;
    • f) the identifying details of the person handling the data (owner, manager, designated representative in the territory of the Italian State, addressees);
    • g) the existence of an automated decision-making process, including profiling;
    • h) the rights provided by the Regulation.

What is the right to rectification, cancellation, limitation of processing, portability of personal data?

The interested party can request to those who are processing their personal data that they are:

  • a) adjusted (because inaccurate or not updated), possibly integrating incomplete information
  • b) deleted, if:
    • the data are no longer necessary for the purpose of pursuing the purposes for which they were collected or processed;
    • the data subject revokes the consent or opposes the processing; or
    • the data is processed unlawfully or must be deleted to fulfill a legal obligation;
    • and if there are no other treatments for which the data are considered necessary (freedom of expression and information, performance of tasks in the public interest, treatments related to public health, etc.).
  • c) limited in its treatment, if:
    • the data are not exact or are processed illegally and the data subject opposes their cancellation;
    • although the owner no longer needs it for the purposes of processing, the data is necessary for the data subject to assert a right in court;
      • d) transferred to another holder (c.d. the right to portability), if the processing is based on the consent or on a contract stipulated with the interested party and is carried out by automated means.

      What is the right to object?

      You can object to the processing of your personal data:

      • a) for reasons related to the particular situation of the interested party, to be specified in the request;
      • b) (without the need to justify the opposition) when the data is processed for direct marketing purposes.

      What is the data processing information?

      The information on data processing is the communication with which the data controller (pursuant to Article 13 of the Code) informs the data subject of the processing carried out and can be provided orally or in writing. The Owner therefore illustrates to the subjects to whom the data collected refer (interested):

      1. the purposes and methods of the processing carried out,
      2. the mandatory or optional nature of providing data,
      3. the consequences of the possible refusal of the provision,
      4. the scope of communication and dissemination of data,
      5. any transfer of data abroad,
      6. the rights of the interested party,
      7. the name of the owner,
      8. an indication of the identified Responsible or of the one designated for the exercise of the rights of the interested party,
      9. an indication of the Persons in charge who carry out the processing operations (obviously it is not necessary to indicate the names and surnames of the individuals but it will be sufficient to indicate the area to which they belong).

      All this information must be contained in the information that must be provided to the data subject at the time of collection of his data and, in the case of data collection from third parties, not beyond the registration of data or the first communication of the same to third parties .

      What is the data processing by the employer?

      The consent for the processing of sensitive data of employees (or para-subordinate or collaborators in various forms) in the context of the employment relationship, when the purposes of these treatments are the management of the relationship and the other obligations provided for by law, not it is necessary limitedly to the data concerning the membership of trade union associations; in other cases (state of health, religion, etc.) consent is necessary instead.

      How is data processed by electronic means?

      The processing of personal data by electronic means is permitted only if the following minimum measures are adopted:

      1. computer authentication;
      2. adoption of authentication credential management procedures;
      3. use of an authorization system;
      4. periodic updating of the identification of the scope of the processing allowed to the single appointees and persons in charge of the management or maintenance of electronic instruments;
      5. protection of electronic instruments and data against unlawful data processing, unauthorized access and certain computer programs;
      6. adoption of procedures for custody of security copies, restoration of data and systems availability;
      7. adoption of encryption techniques or identification codes for certain data processing suitable to reveal the state of health or sexual life carried out by health entity.