Setting up a Newco in Italy: Data and privacy compliance

What do you need to know before setting up a Newco in Italy?

There are several options available for setting up a Newco project in Italy. In fact, the presence of several corporate structures allows entrepreneurs to tailor their business according to the type of company they want to establish. Furthermore, in the last years, several normative reforms have contributed to reducing the burdens and removing the obstacles for new business opportunities. However, the Regulation (EU) 2016/679 (General Data Protection Regulation) has placed new duties and obligations to all those companies that process personal data in the context of their business activities.

SME in Italy data

The GDPR was designed to reinforce the rights of EU residents regarding the way organizations use their personal information. This is the case of both Italian citizens and those who moved to this country and enjoy nearly the same rights. In this sense, VGS professionals recommend following a specific compliance path. The following aspects aim to outline a few aspects that any entrepreneur shall take into consideration if they aim at starting a business in Italy.

SME companies in Italy must have a clear purpose of collecting personal information while giving data subjects the chance to consent, review, amend, or challenge organizations’ data processing practices. Again, while setting up the company, you need to start planning the implementation of security measures to protect personal data from breaches or misuses.

While personal data is considered information that relates to identified or identifiable individuals, the new company may have the interest to process special categories of data such as racial or ethnic origin, religious belief or biometric data. In this case, the GDPR requires that organisations will take extra steps to protect the data processing.

GDPR applies to all organisations processing EU residents’ personal information, whatever is their corporate structure. However, if your organisation employ less than 250 people, you only need to document some specific activity such as rare procedure, or activities that result in a risk for the rights and freedom of data subjects.

VGS professionals highlight the following fundamental aspects:

Consent: One of the most important aspects of GDPR for SME companies is the data subject’s consent. There are six available legal bases to process personal data. In absence of one of the previous legal bases, companies should rely on consent. In order to lawfully use individuals’ consent, data subjects need to provide a clear and affirmative action for it to be valid (no pre-ticked boxes or hidden agreements);

Marketing: The six legal bases inform how you can use it for marketing purposes. Usually, the way you use data for marketing should have a minimal impact and data subjects must be aware of how and for what purposes you are using data;

Data Breach Reporting: Usually, organisations must notify their DPA (Data Protection Authority) – in Italy, the Garante della Privacy) of a data breach within 72 hours. Data breach definition goes beyond the cyber attacks and includes also unlawful destruction, alteration, access or disclosure;

Data Subjects Rights: GDPR allocates specific rights to individuals in relation to their personal data. Organisations, under certain circumstances, are forced to comply with their request that may involve the access to personal data (Right To access), the portability of data (Right to Portability), amendment of data (Right to rectification) cancellation of data (Right to erasure) and so on;

Assignment of responsibility: While setting up the structure of the newco, you must make somebody skilled responsible for data privacy and data protection. In addition, you need to consider if you need to appoint an internal or external DPO (Data Protection Officer) that will constitute the main data privacy subject in your organisation:

Controller’s Responsibility: The organisation will usually act as a Data Controller, which is the subject the decides the means and purposes of data processing. Given that, your organisation is responsible for GDPR and must demonstrate compliance through a system of accountability established by the GDPR

VGS professionals have already assisted clients with privacy and data protection needs. Even though each circumstance requires a case-by-case analysis, there are some core aspects that each new organisation must take into consideration.