European Regulation 679/2016 - GDPR
The new European Regulation - Regulation (EU) 679/2016 of the European Parliament (L. 119) concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data was published in the GUUE of 04 May 2016. The text is available in the section dedicated to the EU Regulation on the website of the Italian Data Protection Authority
http://www.garanteprivacy.it/regolazioneue
The European Regulation (as "GDPR") is directly applicable and binding in all Member States and does not require a national transposition law, except for some areas on which it refers, derogates or requires the regulatory integration of individual states.
The different form of the act - from Directive to Regulation, responds to the primary will of the European legislator to place all Member States on the same level, guaranteeing the same rights and duties, ensuring uniformity in the protection of personal data and legal certainty.
The EU Regulation was approved on 27 April 2016, which entered into force on 25 May of the same year but is destined to be fully implemented from 25 May 2018, the date from which it will repeal Directive 95/46 / EC of the European Parliament and of the Council. , 24 October 1995, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (the so-called Mother Directive).
The European Regulation 2016/679 GDPR prescribes, in Article 37, the obligation for public administrations to appoint the Data Protection Officer (DPO).
We inform you that for the University of Cassino, tha Data Protection Officer is Dr. Elide Di Duca, Head of the Technical Secretariat of the General Management (Legislative Decree no. 373 of 15/05 / 2018).
As part of the functions attributed with this appointment, as required by art. 39 of the European Privacy Regulation, Dr. Di Duca in particular:
- collaborates with the Data Controller in order to take any action necessary to implement the new legislation;
- carries out information and advice activities towards the Data Processors regarding the obligations deriving from the European Regulation and other provisions on data protection;
- checks compliance with the Regulations within the scope of application.
As part of the obligations provided for by the European Regulation (GDPR), the University of Cassino and Southern Lazio is establishing the "Register of data processing activities" of the Data Controller provided for by art. 30 of the aforementioned regulation.
DATA BREACH INFORMATION
By violation of personal data (DATA BREACH) we mean the disclosure (intentional or not), destruction, loss, modification or unauthorized access to data processed by a Public Administration (Article 4, paragraph 2 of the EU Regulation 679/2016, from now on GDPR). A data breach, therefore, is not only a cyber attack, but can also be an unauthorized access, an accident (e.g. a fire or a natural disaster), the simple loss of a USB key or the stealing of documents with personal data.
Procedure to follow in case of DATA BREACH:
Any person in charge of the processing who realizes or detects that an event has occurred among those described above, immediately communicates it via email to the University DPO (dpo@pec.unicas.it) and for information to the Head of the structure involved, indicating the data concerned and describing the event according to the following typology: - Violation of confidentiality, or when there is an unauthorized or accidental disclosure or access to personal data; - Violation of integrity, or when there is an unauthorized or accidental alteration of personal data; - Violation of availability, or when there is loss, inaccessibility, or destruction, accidental or unauthorized, of personal data; The communication must also: a) describe the nature of the personal data breach indicating, where possible, the categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data records in question; b) communicate, if it is aware of it, the name and contact details of the Data Processor or anyone else who can provide useful information for the evaluation; c) describe the measures adopted or proposed to be adopted by the data controller to remedy the violation of personal data and also, where appropriate, to mitigate any possible negative effects.
The DPO forwards the communication of the violation to the Privacy working group, in order to initiate the consequent assessment of the consequences of the event on the protection of the rights and freedoms of the persons to whom the data belong. Within 72 hours of the discovery of the event, the DPO and the working group can: - Decide on the filing of the report, making it known in any case in the violation register; - Ask the Rector, in his qualification as "Data Controller", to notify the Privacy Guarantor of the violation of personal data (Article 33 of the GDPR).
In the event that the violation is qualified by the DPO as likely to produce a high risk for the rights and freedoms of individuals, it is given contextual "communication" to the interested parties, in order to allow the latter to take every precaution for minimize the potential damage deriving from data breaches (Article 34 of the GDPR).
The whole process that goes from the discovery of the accident to any notification to the Privacy Guarantor can be summarized in the following scheme: All data processors are recommended to communicate the event to the DPO with the utmost promptness since, if the notification to the Supervisory Authority is not made within 72 hours of the discovery of the event, the reasons must be explained.of the delay, also in order not to incur the penalties provided for by the DGPR.
The notification to the Privacy Guarantor must contain, pursuant to art. 33 of the GDPR: a) a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records in question; b) the communication of the name and contact details of the Data Protection Officer or other contact point from which to obtain more information; c) a description of the likely consequences of the breach of personal data; d) a description of the measures adopted or proposed to be adopted by the data controller to remedy the violation of personal data and also, where appropriate, to mitigate any possible negative effects.
Communication to interested parties, pursuant to art. 34 of the GDPR, contains the following information: a) the name and contact details of the Data Protection Officer or other contact point from which to obtain more information; b) a description of the likely consequences of the personal data breach; c) a description of the measures adopted or proposed to be adopted by the data controller to remedy the violation of personal data and also, where appropriate, to mitigate any possible negative effects. Notification to the interested party is not required if: a) the data controller has implemented the technical and organ measures.