Presentation by the Italian Supervisory Authority at Data protection in the Western Balkans and the Eastern Partnership Region. High-level exchange and learning week organised by SIGMA, GIZ, RCC and ReSPA.

1. Il Garante
The Italian Supervisory Authority
BRUSSELS, 18 09 2023
LUIGI MONTUORI– HEAD OF SERVICE FOR EU AND INTERNATIONAL MATTERS

2.  General Legal Framework
 Features of the Authority
 Members of the Panel
 Tasks and powers
 Organisational framework
 Staff
 Statistics

3. General Legal Framework
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC
- EU Directive 2016/680 of the European Parliament and of the Council, of 27 April 2016, on the
protection of natural persons with regard to the processing of personal data by competent authorities
for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA
-- Legislative decree No 196 of 30 June 2003, Personal Data Protection Code’: as amended by legislative
decree No 101 of 10 August 2018 containing provisions to adapt the national legal system to Regulation
(EU) 2016/679 and by legislative decree No 51 of 18 May 2018 containing provisions to adapt the
national legal system to directive (EU) 2016/680
-- Legislative decree No 51 of 18 May 2018 implementing EU Directive 2016/680
https://www.garanteprivacy.it/documents/10160/0/Data+Protection+Code.pdf/

4. The Garante
(Section 2-a + Section 153 DP Code)
The Garante was set up by the DP Act 1996
Is the independent public supervisory authority
referred to in Article 51 GDPR (Section 2-a DPCode).
◦ The Garante is made up of a Collegiate Body directing it plus an Office (Section 153 DP Code):
◦ The Collegiate body includes 4 members elected by Parliament (two by the Chamber of
Deputies and two by the Senate through a specific voting procedure) for a seven year term. Not
renewable (The previous term of office was four years and was renewable once)
◦ The members are elected out of the candidates applying according to a specific, transparent
selection procedure publicised by a notice posted on the websites of the Chamber of Deputies,
the Senate and the Garante, at least sixty days prior to the respective appointments
◦ The members elect their President (and the Vice-president, replacing him/her in case of his/her
absence/unavalability). The President has the casting vote in case of a tie.

5. Members of the Collegiate
Panel of the Garante
(Section 153 DPCode)
• Persons ensuring independence
• Proven experience in the field of law or computer science
• Not allowed to carry out professional or advisory activities, manage or be employed by public or
private entities, or hold elective offices
• The members of the Panel of Commissioners shall keep secret, both during and after their term of
office, any confidential information they may have acquired in discharging their functions or
exercising their powers
•President, members, secretary general and staff shall refrain from handling proceedings before the
Garante for two years following termination of their functions or service with the Garante, including
the submission of complaints, requests for opinions or queries on behalf of third parties.

6. Tasks and Powers 1
(GDPR + DPCode)
In particular:
Garante’s powers and competence: Articles 57 and 58 of GDPR – including the power to start
investigations not only following complaints or alerts (Article 77 GDPR) or data breach
notifications (Article 33 GDPR), but also of its own volition. Moreover, the Garante:
• is empowered to request the controller, processor, data subject or third parties ‘to provide
information and produce documents as also related to the contents of databases’ (Section 157
DPCode)
• may order that databases and filing systems be accessed, carry out inspections at the premises
where the processing takes place, and investigations that are instrumental to check compliance
with personal data protection law (Section 158)
• may avail itself of the co-operation of other State agencies in discharging its institutional tasks
(Italian financial police, etc.)
• is empowered to impose corrective measures and fines

8. Organisational Framework 1
For those aspects not regulated directly by the GDPR/DPCode, the Garante
adopts its own administrative regulations (Section 142 and 156(3)(a) DPCode).
On 4 April 2019 the DPA adopted two different administrative regulations:
• Regulation 1/2019 which regulates the proceedings before the Garante (e.g.
Section 3 reiterates the general principles of fairness and transparency of the
proceeding before the SA, Sections 8 to 18 regulate the handling of complaints
including the parties’ right to access documents and file submissions, etc.)
• Regulation 2/2019 which provides for specific time-limits with regard to the
different types of proceedings the SA is competent for.

9. Organisational Framework 2
Sections 155-156 of the DP Code
Regulations issued autonomously:
no. 1/2000 on organization and operation of the Office
no. 2/2000 on staff regulations and salaries
no. 3/2000 on administration and accounting mechanisms
no. 3/2006 – Access to documents
Internal regulations are available at: https://www.garanteprivacy.it/home/autorita/regolamenti-interni

10. Regulation 1/2000
Setting up several
Departments for Law Matters:
• Businesses and Profit-Seeking Entities
• Public entities
• Health Care and Research
• Communications and Electronic Networks and Marketing
• Freedom of expression and cyberbullying
• Legal and judicial matters
• A.I.

11. Regulation 1/2000 - Services
• Service for Legislative and Institutional Relationships
• Service for Research and Documentation
• Performance Assessment Unit (data collection)
• Press Office and Outreach Service
• Front Office (FAQ)
• EU and International Matters Service

12. Tasks and Powers 2
(GDPR + DPCode)
• Providing information to judicial authorities on the most serious
breaches of data protection law
• Commencing legal proceedings against a controller or processor in case of
infringement of personal data protection provisions
• Raising awareness of privacy legislation
• Encouraging the adoption of codes of conduct

13. Tasks and Powers 3
(GDPR+ DP Code)
• Drawing Parliament’s and Government’s attention
to the measures required in connection with data protection
• Giving opinions on legislative and administrative measures relating to the
protection of natural persons' rights and freedoms with regard to processing
• Submitting the annual report under Article 59 GDPR to Parliament and
Government

14. Task and Powers 4
(Section 154.2 DPCode)
The Garante discharges supervisory or assistance tasks on data processing as provided for by laws
ratifying international agreements and EU regulations, with particular regard to:
a) Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA (SIS II);
b) Regulation (EU) 2016/794 (Europol)
c) Regulation (EU) 2015/1525 on mutual assistance on customs and agricultural matters and Council Decision
2009/917/JHA on the use of information technology for customs purposes;
d) Regulation (EU) No 603/2013 (Eurodac)
e) Regulation (EC) No 767/2008 (VIS Regulation) and Council Decision 2008/633/JHA on access for consultation of VIS;
f) Regulation (EU) No 1024/2012 on administrative cooperation through the Internal Market Information System (‘the IMI
Regulation’ );
g) Chapter IV of Council of Europe - Convention 108/1981

15. Planning of the activities
Section 4, Regulation 1/2019
- At least twice yearly, adoption by Collegiate Panel
- In accordance with general principles of administrative activity
(effectiveness, efficiency, transparency, proportionality, non
-discrimination,…)
- Concerns:
◦ the work of the Collegiate Panel;
◦ the priority areas in the handling of cases by the Office;
◦ the planning of inspection activities.
 Possibility to prioritise the handling of cases by having regard (also)
- to the resources available in relation to the workload,
- to the nature and gravity of the infringements, the extent of the injury and the number of data
subjects possibly concerned

16. International and EU Matters
•European Data Protection Board (EEA MS’ SA’s)
•Joint Supervisory Bodies (Schengen, Europol,
•Eurodac, Customs)
•CoE (Convention 108/81 Committee, «T-PD»)
•OECD («SPDE»)
•International Cooperation (Case Handling Network, GPEN, G7-DPAs, Other Forums)
•External Interfacing and Follow-up (Intl. Conferences, Twinnings, Training Projects)
•Internal Interfacing:
◦ Follow-up on domestic implementation measures (e.g.: Directive 136/2009)
◦ Institutional Co-operation (Governmental bodies, Parliament)
◦ Provides opinion on the preliminary rulling that the national courts submit to the Court of Justice
◦ Co-operation with other departments, units in SA (cross-border proceedings, etc.)

17. Statistics 1 – The Garante in 2022
442 decisions from the Garante as a collegiate body
9.218 complaints and reports finalised (inter alia, on marketing and IT networks,
online data from public bodies, health, IT security, banking and financial sector)
81 opinions on administrative acts (including legislation and other instruments
regarding health care, taxation, justice, digitalisation of the public sector, statistics)
Collected Fines 9.459.457 euro
140 on-site inspections (45 were carried out directly by the staff at the Office, the
remaining 95 were instead delegated to the Special Privacy and Technological Fraud
Unit of the Financial Police) in particular concerning e-invoicing, public databases,
whistleblowing software, marketing, food delivery.
15,000 replies to questions via the front office, mostly concerning the application of
GDPR, unsolicited marketing communications and online processing of data,
employment, video surveillance, banking and credit sector
Participation in 216 EU and international meetings (including EDPB expert subgroups)

18. Statistics 2 – The Garante in 2022
EDPB Plenary 15
Partecipation in EDPB subgroup, TF/DT 162
Meetings and inspections of joint authorities/supervisory bodies (Europol, SIS II, Dogane, Eurodac, VIS) 10
International Conferences 4
Meetings OCSE and CoE 12
Other International Conferences 13

19. Staff (on paper)
 As of 31.12.2022, 148 positions were covered. Public competitive examinations are in progress to
recruit additional staff. 12 additional junior officials will join the staff shortly.

20. Thank you
l.montuori@gpdp.it