Important developments on the companies’ liability for data protection breaches.
As you may know, Italian law (so called “Law 231?) provides indeed a regime of criminal corporate liability and sanctions in the event that the directors/managers or employees commit certain types of crimes in the interest of and/or to the advantage of their companies (or group companies).
The list of these crimes, which includes, for instance, corruption and IP rights breach, has progressively been extended by the Italian Government. Well, since last 17 August 2013, the list includes also (i) unlawful processing of personal data, (ii) false information in the communications and notification to the Italian Data Protection Authority (Garante Privacy), (iii) non-compliance with Garante Privacy‘s orders.
The extension of the criminal corporate liability regime to privacy-related crimes will likely have a considerable impact on companies’ operations.
It often happens that companies’ management considers privacy compliance as a cost that might be postponed. This latest amendment in the Law 231 could change this approach and data protection may well rank as a top priority for companies operating in Italy.
In order to avoid criminal corporate liability and related sanctions, companies have to set up and implement internal management and organizational models aimed at preventing crimes. Such organizational model, among others, provide for:
the identification of the potential risky areas;
the implementation of an appropriate internal monitoring and sanctioning system to exclude/limit the potential risks.
If companies do not adopt effective and updated internal models of organization there may be monetary sanctions up to 774,500 Euro. Moreover further administrative sanctions, such as the suspension or termination of public licenses (e.g. gaming licenses), the prohibition of advertising company’s products or services or the prohibition of contracting with the public administration may be applied, which may well jeopardize the entire company operations.
All the above will likely lead to an increase in data protection compliance audits and implementation of organizational model.