Institutional activities and relations with the institutions

The Authority has carried out intensive advisory work, providing mandatory opinions to Parliament and the Government on important legislative acts. Among the main ones, we note the law on the right to be forgotten oncological, which aims to prevent discrimination against people cured of oncological diseases. The Authority has also actively participated in parliamentary hearings, establishing a direct dialogue with the institutions on topical issues such as the market and competition, the use of interceptions and challenges related to online challenges. The Government has received several reports urging it to fill certain legislative gaps, particularly concerning data processing in judicial and police activities.

The law on the right to be forgotten about cancer represents an important step forward in protecting the rights of people who have been diagnosed with cancer. The Authority has played an active role in supporting the legislative process, providing advice and recommendations to ensure that the legislation was effective in preventing discrimination in various areas such as insurance, credit and employment. The right to be forgotten about cancer aims to ensure that people who have been cured of cancer are not discriminated against because of their previous state of health. This is particularly important in contexts such as applying for a mortgage, taking out life insurance or looking for work, where previous illness could be used as a reason to deny access to these opportunities. The Authority has worked to ensure that the law is broad enough to cover all possible discriminatory scenarios and that it provides effective mechanisms to enforce the rights of the persons concerned.

Furthermore, the Authority’s participation in parliamentary hearings testifies to the importance of dialogue between the Authority and political institutions. This involvement has made it possible to bring to the attention of the legislator emerging issues in data protection, such as those related to the use of wiretaps and new forms of online entertainment that can put children’s privacy at risk. The Authority has contributed to the use of interception, stressing the need to balance investigative requirements with the right to confidentiality of communications. In addition, the Authority has intervened on the issue of online challenges, highlighting the risks that these may entail for the privacy and security of minors and urging the adoption of more effective preventive and control measures.

The Authority has proactively signalled to the Government the need for action to fill legislative gaps. This is particularly relevant in sensitive areas such as the processing of data in judicial and police activities, where it is crucial to ensure a balance between security needs and respect for citizens' fundamental rights. The Authority has pointed out the need for clearer and more detailed legislation on the processing of personal data by law enforcement and judicial authorities, in order to prevent abuse and ensure that data is processed in a lawful, fair and transparent manner.

Digitisation and Public Administration

The digitisation of public administration has been a central theme in the work of the Authority in 2023. The Authority has contributed to the introduction of new functionalities for the provision of online services to citizens, with the aim of simplifying and unifying the access modalities. In this context, issues of proportionality and necessity of personal data processing as well as allocation of responsibilities were critically examined, with reference to initiatives such as the centralised management of CIEId credentials, the Single Digital Gateway (SDG) and the Single Platform for Digital Notifications.

The Authority also continued to monitor the data processing carried out by the Revenue Agency, aimed at preparing the pre-filled tax return, and those related to the National Register of Residents. In particular, a warning and corrective measure against ISTAT for failure to implement measures aimed at ensuring data minimization in the context of the permanent census.

The Supervisor has supported technological innovation in public administration, recognising the potential of online services to simplify citizens' lives. However, he emphasised the need to ensure that digitisation takes place in accordance with data protection principles, by carefully assessing the proportionality and necessity of processing and clearly defining the responsibilities of the various actors involved. The Supervisor stressed that the simplification of public services must not be at the expense of the protection of personal data of citizens. It is essential that any processing of data be justified by an appropriate legal basis, that the data collected are relevant and not excessive in relation to the purposes pursued and that adequate security measures are taken to prevent unauthorised access or misuse.

The centralized management of CIEId (Electronic ID Card) credentials is a crucial issue for citizens' digital identity. The Supervisor has ensured that the system guarantees a high level of security and protection of personal data, preventing unauthorised access and misuse of information. The Authority has paid particular attention to authentication and authorization mechanisms, security protocols used for data transmission and procedures for recovering credentials in case of loss or theft. The aim is to ensure that CIEId is a secure and reliable tool for accessing public administration online services.

The SDG is a European initiative to facilitate access for citizens and businesses to digital public services across the European Union. The Authority has helped to ensure that the implementation of the SDG in Italy takes place in compliance with data protection legislation, ensuring transparency of processing and the protection of the rights of data subjects. The Authority has worked with other European authorities to define common data protection standards and promote interoperability of digital identification systems. The aim is to create a single digital space where citizens and businesses can access public services easily and safely, regardless of their place of residence or establishment.

The single platform for digital notifications aims to centralise and simplify communication between public administration and citizens. The Authority has carefully examined the privacy implications of this platform, with particular attention to data storage, transmission security and access to information. The Authority has verified that the platform guarantees the confidentiality of communications, that data is kept for a limited period of time and that citizens can easily access information about themselves. In addition, the Authority emphasised the need to properly inform citizens about the use of the platform and their data protection rights.

The Authority has monitored the use of personal data by the Agenzia delle Entrate for the preparation of the pre-filled tax return. The objective was to ensure that data processing was limited to the purposes required by law and that appropriate measures were taken to protect the confidentiality of taxpayers' financial information. The Authority has verified that the Agenzia delle Entrate adopts adequate security measures to protect the financial data of taxpayers, both during the preparation phase of the pre-filled declaration and during the telematic transmission phase. In addition, the Authority stressed the importance of informing taxpayers about the data used for the preparation of the declaration and about the possibility to modify or supplement them.

The National Register of Resident Population is a centralized database that collects the personal data of all residents in Italy. The Supervisor has monitored the proper functioning of the ANPR, with particular attention to data security, access modalities and the purposes of their use. The Supervisor has verified that the ANPR is managed securely and that access to data is granted only to authorised parties for legitimate purposes. In addition, the Authority emphasised the need to ensure the accuracy and constant updating of personal data in order to avoid errors or inconsistencies that could affect citizens' rights.

The warning and corrective measure against ISTAT highlights the importance of the data minimization principle. The Authority has reminded the Institute of the need to take measures to ensure that in the context of the permanent census only data strictly necessary for statistical purposes are collected, avoiding the collection of excessive or irrelevant information. The Authority has stressed that ISTAT must limit the collection of personal data to the minimum necessary for the census, avoiding the acquisition of information that is not strictly necessary for statistical purposes. This principle is fundamental to protect the privacy of citizens and prevent misuse of collected data.

Health and scientific research

The health and scientific research sector was an area of particular attention for the Authority in 2023. The Authority has continued to monitor the evolution of digital health, with particular reference to the Electronic Health Record (ESF), the health dossier and telemedicine. A very important topic was the use of artificial intelligence in healthcare, for which the Authority provided important clarifications regarding the legal and ethical profiles to be considered.

The Authority has intervened in several cases of unlawful processing of personal data in the health field, taking measures following data breaches, complaints and reports, and ex officio investigations. Particular attention has been paid to processing for purposes other than care, for which the Supervisor has reiterated the need for an appropriate legal basis and adequate information to interested parties.

With regard to scientific research, the Authority has provided clarifications regarding the application of Article 110-bis of the Code, which regulates the processing of personal data for these purposes.

Journalism and Freedom of Information

The Supervisor continued to work intensively on balancing freedom of information and the right to personal data protection. The Authority has examined a large number of complaints and reports relating to the dissemination of news on the Internet and social media, with particular reference to requests for de-indexing addressed to search engines and disputes relating to the publication of personal data deemed excessive or disseminated in violation of specific limits.

The Authority has intervened in several cases to ensure compliance with the principles of essentiality of information and protection of data relating to minors, health data and data on well-known persons.

Marketing and electronic communications

The fight against unwanted telemarketing has been a priority area of intervention for the Authority in 2023. The Authority has adopted numerous sanctions against individuals who have made illegal promotional calls, often using illegally acquired contact lists or call centers located outside the European Union.

The Authority also drew attention to new marketing frontiers, such as online profiling, the use of dark patterns (dark patterns) and illicit databases.

In the field of electronic communications, the Authority has been involved in traffic data retention, cookies and other tracking tools, processing of personal data on the web and through connected devices, and artificial intelligence.

Employment and economic activities

The Supervisor has paid particular attention to the protection of personal data in the context of employment, both public and private. The Authority has intervened in matters of data processing by electronic mail, exercise of rights, biometric and health data, video surveillance, publication of data on the internet, use of technological devices and whistleblowing.

With regard to economic activities, the Authority has carried out control and sanction activities in various sectors, including insurance, banking and finance, companies and public service concession holders.

Artificial Intelligence and Personal Data Breaches

Artificial intelligence has been a cross-cutting theme in the work of the Authority in 2023. The Authority highlighted the potential of this technology, but also the risks to the rights and freedoms of individuals, with particular reference to biometric identification and profiling systems.

The Authority has continued to monitor the phenomenon of personal data breaches (data breach), providing guidance and taking action in cases of unlawful processing.

Inspection and Litigation Activities

The Supervisor’s inspection activity has been a fundamental tool for the detection of violations of personal data protection legislation. The Authority has carried out checks both online and at the premises of the data controllers, also using the collaboration of the Guardia di Finanza.

The Authority has been an active party to numerous legal disputes, both in opposition to its own measures and in cases relating to the protection of personal data.

Communication and International Relations

The Supervisor has carried out an intensive communication and information activity, addressed both to the public and to operators in the sector. The Authority used different channels, including the institutional website, multimedia products, publications, events and conferences.

At the international level, the Authority has actively participated in the activities of the European Data Protection Board (EDPS) and other international bodies, contributing to the development of cooperation between data protection authorities.

Conclusions

The Annual Report for 2023 testifies to the Authority’s ongoing commitment to protecting fundamental rights and personal data protection in a constantly changing environment. The challenges posed by digitisation, artificial intelligence and new technologies require increasing attention and timely action to ensure that personal data is processed under the principles of lawfulness, fairness, transparency, Purpose limitation, minimisation, accuracy, integrity and confidentiality.